workspace
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill employs extensive shell commands including
ls,grep,find, andcatto discover and analyze project structure and code patterns. - [COMMAND_EXECUTION]: It implements multi-repo support by accessing sibling directories (e.g.,
ls ../*.git), which expands the agent's operational scope beyond the primary repository root. - [CREDENTIALS_UNSAFE]: The analysis protocol specifically reads
../*/.git/configto extract remote URLs, which can inadvertently expose authentication tokens or private repository locations if stored in the git configuration. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it automatically ingests and processes untrusted content from the local workspace to generate project specifications.
- [PROMPT_INJECTION]: Ingestion points: The skill reads directory structures, code files, and configuration manifests (e.g.,
package.json,pyproject.toml,.git/config) across the entire workspace (SKILL.md). - [PROMPT_INJECTION]: Boundary markers: The skill does not define explicit delimiters or instructions to ignore malicious content embedded within the files it analyzes.
- [PROMPT_INJECTION]: Capability inventory: The agent has shell execution capabilities for discovery and file-writing capabilities to generate artifacts in the
_project_specs/workspace/directory (SKILL.md). - [PROMPT_INJECTION]: Sanitization: There is no evidence of sanitization, filtering, or validation of the data extracted from workspace files before it is included in the generated context artifacts.
Audit Metadata