sherlock
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes instructions to override the agent's typical interaction protocols, explicitly commanding it to "NEVER STOP" and "not pause to ask the human if you should continue." This attempts to bypass standard user confirmation requirements for high-autonomy tasks like modifying files and executing shell commands.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted codebase data without proper isolation or sanitization.
- Ingestion points: The agent ingests data from local project files (e.g.,
package.json,Gemfile) and test outputs (e.g.,npm test > /tmp/sherlock-run.log) using theRead,Grep, andBashtools. - Boundary markers: The skill lacks delimiters or instructions to treat ingested codebase content as data rather than instructions, which could lead to the agent following malicious commands embedded in the code.
- Capability inventory: The skill leverages
Write,Edit, andBashtools, allowing it to modify the filesystem and run arbitrary shell commands influenced by its analysis. - Sanitization: No input validation or escaping is performed on the content read from the project directory before it is processed by the agent's diagnostic logic.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to run arbitrary test and build commands (e.g.,npm test,cargo test,pytest) derived from the project's metadata. This execution of project-defined scripts could lead to code execution if the analyzed repository is malicious or compromised.
Audit Metadata