resolve-fixme
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions create a significant surface for indirect prompt injection by directing the agent to interpret and implement instructions found in codebase comments.
- Ingestion points: The agent is instructed to read
FIXMEcomment blocks from any source file identified by the discovery script. - Boundary markers: There are no markers or safety instructions used to delimit untrusted data from the agent's core instructions; rather, the skill explicitly states there is 'no skip path' and every
FIXMEmust be implemented. - Capability inventory: The agent has the power to modify existing code, create new files, and execute shell commands (
bash,cargo). - Sanitization: No sanitization or validation of the comment content is performed before the agent acts on it.
- [COMMAND_EXECUTION]: The workflow involves running local shell scripts and project-specific CLI tools.
- Evidence: The workflow requires executing
bash .forge/skills/resolve-fixme/scripts/find-fixme.shandcargo insta test --accept. - Context: While these tools are standard for development,
cargo insta test --acceptautomatically updates test snapshots, which could be exploited to hide or persist malicious changes if the agent is acting on a compromised instruction found in a comment.
Audit Metadata