neotex-init
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core function is to ingest untrusted data from an external codebase to generate organizational knowledge.
- Ingestion points: Uses
caton READMEs, package manifests, and CI/CD workflows (.github/workflows/*.yml). Background agents are tasked with sampling source files and searching for specific comment strings. - Boundary markers: None. Data from the codebase is processed and interpolated into prompts or shell commands without delimiters or 'ignore embedded instructions' warnings.
- Capability inventory: The skill can execute arbitrary shell commands (
find,awk,sed) and write data to an external service via theneotexCLI. - Sanitization: No sanitization or validation of the scanned content is performed before it is used to generate 'learnings' or reports.
- Command Execution (HIGH): The skill relies heavily on shell execution for file system discovery and data processing (
find . -type f | wc -l,awk,sed). This pattern is susceptible to command injection if filenames in the scanned codebase are maliciously crafted (e.g., containing backticks or semicolons). - Data Exfiltration (MEDIUM): Collected architectural data, decision logs, and code patterns are sent to an external tool (
neotex add). Theneotexutility is not a recognized trusted source, and the destination of the data is not transparent. - Data Exposure (LOW): The skill explicitly targets sensitive configuration areas, including
.env.exampleand CI/CD workflow files, which may leak internal infrastructure details or naming conventions to the external service.
Recommendations
- AI detected serious security threats
Audit Metadata