data-safety-auditor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant vulnerability to Indirect Prompt Injection (Category 8). It is designed to process external, untrusted content (source code, ASTs, and database configurations) and has high-impact capabilities such as making deployment decisions and generating new code.
- Ingestion points: The skill explicitly reads from
./srcand processescodeAST,piniaStore, andpouchdbCodeas input data. - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the processing logic.
- Capability inventory: The skill can execute subprocesses to block CI/CD pipelines (
process.exit(1)), read the entire file system of a project, and generate/modify code (test suites and remediation scripts). - Sanitization: No sanitization, escaping, or validation of the external content is mentioned before it is processed by the agent's reasoning engine.
- NO_CODE (LOW): The skill consists entirely of markdown-based instructions. While it provides example JavaScript code, there are no actual scripts or executables included. The risk is derived from the instructions provided to the agent rather than the execution of the skill's own code.
- PROMPT_INJECTION (MEDIUM): The 'MANDATORY USER VERIFICATION REQUIREMENT' section uses strong directive language ('CRITICAL', 'REQUIRED', 'MANDATORY') to constrain the agent's behavior. While intended for safety, these instructions could be targeted by an attacker's payload to trick the agent into believing verification has already occurred or is unnecessary, effectively bypassing the skill's own safety logic.
Recommendations
- AI detected serious security threats
Audit Metadata