developing
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow 'workflows/researching-codebase.md' directs the agent to execute several local commands, including 'hack/spec_metadata.sh', 'humanlayer thoughts sync', and the GitHub CLI tool 'gh repo view'. These are used to generate metadata, synchronize research findings, and fetch repository details.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from the codebase. In 'workflows/researching-codebase.md' (Step 1), the agent is instructed to read files mentioned by the user or found in the repository in their entirety. No boundary markers or delimiters are used to separate this ingested content from the agent's internal reasoning instructions, and there is no evidence of sanitization of the file data before it is used to influence the agent's task decomposition and sub-agent spawning.
- [PROMPT_INJECTION]: The instructions in 'workflows/analyzing-codebase.md' and 'workflows/researching-codebase.md' contain directives that explicitly tell the agent to 'DO NOT evaluate security implications' and 'DO NOT comment on... security concerns.' This represents a behavioral override that suppresses the agent's standard safety and security analysis functions while processing codebase information.
Audit Metadata