security-review
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Category 8: Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted data (source code files) while maintaining high-privilege capabilities via the 'Bash' tool. This creates a risk where instructions embedded in the analyzed data could be followed by the agent.
- Ingestion points: The skill utilizes 'Read', 'Grep', and 'Glob' tools to ingest content from the local file system (SKILL.md).
- Boundary markers: No boundary markers or 'ignore' instructions are defined to prevent the agent from obeying commands found within the data it processes.
- Capability inventory: The 'Bash' tool is included in the 'allowed-tools', granting the agent the ability to execute arbitrary shell commands.
- Sanitization: No sanitization or filtering logic is present to secure the data before it enters the agent's context.
- [Category 4: Remote Code Execution] (LOW): Although the 'Bash' tool allows for remote code execution (e.g., via curl), the provided example commands are focused on local analysis ('grep', 'npm audit'). However, the inherent risk remains due to the tool's broad capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata