cartography
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by generating architectural documentation (
codemap.md) that is intended to be read and followed by agents. Specifically, Step 5 of the workflow instructs the agent to reference the rootcodemap.mdinAGENTS.md, which is automatically loaded into the agent's context for every session. This creates a mechanism where malicious instructions embedded in a repository's documentation could influence agent behavior. - Ingestion points: The skill reads
codemap.mdfiles (SKILL.md, Step 4) and repository source code (SKILL.md, Step 2). - Boundary markers: Absent. There are no instructions for the agent to use delimiters or security headers when reading or aggregating these files.
- Capability inventory: The skill possesses file read/write capabilities, local script execution (
cartographer.py), and the ability to delegate tasks to sub-agents. - Sanitization: Absent. The skill does not validate or sanitize the technical summaries generated from the code.
- [COMMAND_EXECUTION]: The workflow relies on executing a local Python script (
cartographer.py) with command-line arguments (include/exclude patterns) derived from the agent's interpretation of the codebase. While these patterns are used for file filtering, they represent a point where repository-derived data influences the execution of a local script.
Audit Metadata