refactordjango
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core loop of processing untrusted code and executing it. * Ingestion points: The skill takes 'existing code' as input for refactoring in SKILL.md. * Boundary markers: There are no markers or instructions to isolate the provided code or ignore embedded instructions. * Capability inventory: Step 6 ('Run Tests') and the 'When to Stop' section mandate the execution of tests autonomously. This gives the agent the capability to run arbitrary code contained within the user's test suite. * Sanitization: The skill lacks any requirement to sanitize or verify the safety of the code before execution.
- Remote Code Execution (HIGH): The instruction to 'Continue the cycle of refactor -> test until complete' and 'Do not stop and ask for confirmation' allows for persistent and autonomous execution of malicious code provided by an attacker in the refactoring target.
- Command Execution (HIGH): The skill's requirement to run a test suite implies the use of shell commands (e.g., 'pytest' or 'manage.py test'), providing an attack surface for command injection if the input code is crafted to subvert these tools.
Recommendations
- AI detected serious security threats
Audit Metadata