superdocs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8) due to the combination of untrusted data ingestion and file modification capabilities.\n
- Ingestion points: The script
scripts/generate-docs.shusesRead,Glob, andGreptools to scan the entire contents of the target$PROJECT_DIR.\n - Boundary markers: Absent. The prompt does not define strict boundaries between its instructions and the data read from project files.\n
- Capability inventory: The agent is granted
WriteandEdittools, allowing it to modify any file in the project directory.\n - Sanitization: Absent. Input from project files is processed directly by the model without escaping or validation.\n- [PROMPT_INJECTION] (MEDIUM): The script explicitly overrides safety confirmations to support automation.\n
- Evidence: In
scripts/generate-docs.sh, the prompt instructs: 'You are running in headless/CI mode. Do not ask for user confirmation at any point.' This removes a critical human-in-the-loop safety check in the event of an injection attack.\n- [COMMAND_EXECUTION] (LOW): The script executes shell commands via the Claude CLI but applies strict limitations.\n - Evidence: The
--allowedToolsflag inscripts/generate-docs.shlimits bash execution to a specific whitelist:ls,git,tree,wc, andmkdir. This implementation of the principle of least privilege effectively mitigates the risk of arbitrary command execution.
Recommendations
- AI detected serious security threats
Audit Metadata