write-docs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is explicitly designed to read and process untrusted data from an external codebase, creating an attack surface where instructions embedded in code could influence agent behavior.
- Ingestion points: Uses
Grep,Glob, andReadtools on the../browseros-server/directory. - Boundary markers: The instructions do not define delimiters or provide 'ignore embedded instructions' warnings for the data being read.
- Capability inventory: The skill has access to
Bash,Task,Write, andEdittools, allowing it to execute commands and modify the filesystem. - Sanitization: There is no logic provided to sanitize or filter the content retrieved from the server codebase before it is processed by the agent.
- No Code / Command Execution (MEDIUM): The skill references and executes a local Python script (
scripts/save_clipboard.py) that is not included in the analysis package. - Evidence: The instruction
python scripts/save_clipboard.py docs/images/<feature-name>.pngis a core part of the workflow. - Risk: Accessing the system clipboard is a sensitive operation. Without the script's source code, it is impossible to verify if it performs exfiltration or other malicious actions with the clipboard data.
- Command Execution (LOW): The skill executes
mint devand uses theBashtool for exploration. While standard for documentation tasks, these provide the agent with significant environment access.
Recommendations
- AI detected serious security threats
Audit Metadata