agentic-development
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core design of prioritizing repository-local instructions.
- Ingestion points: The agent is directed to read and follow instructions from repository files such as
AGENTS.md,CLAUDE.md,SOUL.md,PRINCIPLES.md,PLANS.md, andREADME.mdas specified inSKILL.mdandreferences/repo-orientation.md. - Boundary markers: The skill lacks explicit instructions or delimiters to help the agent distinguish between its own system instructions and potentially malicious instructions embedded in the repository files it processes.
- Capability inventory: The skill enables significant capabilities including file system modifications (implementing/refactoring code), Git operations (branching/worktrees), and system command execution for verification and orientation.
- Sanitization: There is no evidence of content validation or sanitization for the data ingested from the local repository documentation files.
- [COMMAND_EXECUTION]: The skill includes utility scripts that execute local system commands to manage state and discover repository context.
scripts/repo_scan.pyutilizes thesubprocessmodule to executegitandrg(ripgrep) for repository mapping and observability detection.hooks/check-completion.shexecutesjq,grep, andcatto parse session data and transcripts to determine if the agent should be blocked from stopping prematurely.
Audit Metadata