smart-rules
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface (Category 8) by monitoring user prompts and 'TodoWrite' tool outputs to identify keywords for document loading. 1. Ingestion points: User prompts and TodoWrite tool output fields. 2. Boundary markers: No explicit instructions are provided to ignore embedded instructions within the ingested data. 3. Capability inventory: The skill can read markdown files from the local project filesystem. 4. Sanitization: No keyword or content validation is performed before the loading process. Additionally, the skill uses forceful directives like 'CRITICAL' and 'MUST' to enforce its internal logic, though these are functionally focused.
- [COMMAND_EXECUTION]: The skill scans the project's file system (specifically .claude/rules/ and Docs/) and writes a configuration file named '.smart-rules.yaml' to the project root. These actions are within the intended scope of its utility.
- [SAFE]: No network access, remote code execution patterns, or hardcoded credentials were identified in the skill. All operations are confined to the local environment.
Audit Metadata