architecture-review
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (LOW): The skill exposes an indirect prompt injection surface by design as it ingests untrusted repository content to perform its primary function. ● Ingestion points: Reads arbitrary project files, .architecture/config.yml, and .architecture/members.yml via Read, Glob, and Grep tools (SKILL.md). ● Boundary markers: The instructions do not define explicit boundary markers or 'ignore' instructions for the data ingested from these files. ● Capability inventory: The skill is authorized to use the Write tool and a restricted Bash tool for git operations (SKILL.md). ● Sanitization: While the skill documentation mentions filename sanitization, it does not detail any sanitization or escaping for the content processed during the 'Analyze the Target' phase.
- [Command Execution] (SAFE): The Bash tool is explicitly restricted to git commands (git:*), which prevents the execution of arbitrary or malicious system commands.
- [Data Exfiltration] (SAFE): The skill does not have access to network tools like curl, wget, or fetch, preventing the exfiltration of the sensitive data it reads from the local environment.
Audit Metadata