refactor-pass
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted data (recent code changes) and maintaining high-privilege capabilities (executing build commands).
- Ingestion points: Workflow Step 1 in
SKILL.mddirects the agent to "Review the changes just made." - Capability inventory: Workflow Step 3 in
SKILL.mdexplicitly commands the agent to "Run build to verify behavior," which involves arbitrary command execution based on the local environment's build configuration. - Boundary markers: No delimiters or instructions are provided to help the agent distinguish between its own instructions and potentially malicious content within the code changes.
- Sanitization: There is no evidence of sanitization or validation of the code content before it is processed or used to trigger build actions.
- Command Execution (MEDIUM): The requirement to "Run build" grants the agent the ability to execute subprocesses. If the build configuration (e.g., Makefile, package.json, pom.xml) has been tampered with or contains malicious hooks, the agent will unknowingly execute them.
Recommendations
- AI detected serious security threats
Audit Metadata