planning
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): In
references/codebase-understanding.md, the skill instructs the agent to "Analyze dotenv files and configuration." This constitutes a high-risk pattern as.envand other configuration files are primary locations for hardcoded credentials, API keys, and secrets.\n- [COMMAND_EXECUTION] (MEDIUM): Thereferences/research-phase.mdfile directs the agent to execute shell commands such asrepomix --remote <github-repo-url>. Running shell commands with remote URLs provided as input can lead to command injection or unauthorized network access if the URLs are not strictly validated.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its data ingestion patterns.\n - Ingestion points: The skill reads local codebase files, GitHub PRs, issues, and remote repositories via
repomix(as seen inreferences/research-phase.mdandreferences/codebase-understanding.md).\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt templates when handling this external data.\n
- Capability inventory: The agent can execute shell commands and spawn sub-agents based on the information gathered.\n
- Sanitization: There is no evidence of sanitization or filtering of the content retrieved from these untrusted external sources.
Recommendations
- AI detected serious security threats
Audit Metadata