hunter-skeptic-referee
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection as it processes arbitrary codebases. While it utilizes isolated contexts to neutralize agent-to-agent bias, the ingestion of untrusted code could potentially influence sub-agent behavior if the code contains malicious instructions.
- Ingestion points:
SKILL.md(Steps 1, 2, and 3) where the Hunter, Skeptic, and Referee agents receive external codebase data and bug findings. - Boundary markers: The prompts use structural delimiters (e.g., 'Codebase to audit:', 'Relevant code snippets:') to separate instructions from data, though they lack explicit 'ignore embedded instructions' warnings.
- Capability inventory: The sub-agents (code-auditor, architecture-reviewer, tester) have specialized tools for analysis and testing within the
bopen-toolsframework. - Sanitization: No explicit sanitization or escaping of the input codebase is performed before being passed to sub-agents.
- [REMOTE_CODE_EXECUTION]: The skill invokes sub-agents using the
Agent()function with specificsubagent_typeparameters (bopen-tools:code-auditor,bopen-tools:architecture-reviewer,bopen-tools:tester). These tools are part of the author's own infrastructure (b-open-io) and represent the intended functionality of the skill rather than a security risk.
Audit Metadata