qa-engineer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill lacks sanitization and boundary markers for untrusted data ingestion.
- Ingestion points: Processes output from
git diffand reads arbitrary source files from theanytype-tsrepository (Phase 1 and Finding Selectors section). - Boundary markers: None. The instructions do not specify how to distinguish between code-to-be-analyzed and potential instructions embedded in that code.
- Capability inventory: Writes files to
../anytype-desktop-suite/tests/,../anytype-desktop-suite/specs/, and../anytype-desktop-suite/src/pages/. Recommends execution of generated code vianpm test. - Sanitization: None. The agent is directed to use content from translation files and source code directly in generated test logic, which could be exploited by an attacker placing instructions in string literals or comments.
- Dynamic Execution (HIGH): The skill follows a 'Generate-then-Execute' pattern.
- Evidence: Phase 4 generates TypeScript files based on external source analysis, and Phase 6 explicitly provides a command to run the generated file using
npm test. If the generation logic is compromised via Indirect Prompt Injection, this leads to immediate Remote Code Execution (RCE). - Command Execution (MEDIUM): The skill uses shell commands like
git diffandnpm testto perform its tasks. While these are common for development tools, the execution ofnpm teston agent-generated code that was influenced by untrusted external sources elevates the risk of system compromise.
Recommendations
- AI detected serious security threats
Audit Metadata