rules-reviewer
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to read and process external rule files, creating a vulnerability to indirect prompt injection. Ingestion points:
prompts/audit-batch.mdandprompts/review-single.mdingest file content from a target directory. Boundary markers: The prompts do not use delimiters (like XML tags) to separate untrusted file content from the agent's instructions. Capability inventory: Thereview-single.mdprompt utilizesWebSearchto verify content, which could be manipulated by a malicious file to influence search queries. Sanitization: No automated sanitization is performed on the ingested content before it is processed by the AI. - Security Best Practices (INFO): The
config/criteria.jsonfile proactively forbids dangerous patterns such asnpm installwithin the content being audited, reducing the risk of the skill endorsing malicious instructions.
Audit Metadata