python-sdk
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The refactor-helper agent defined in
agents/refactor-helper.mdprocesses user-supplied code, creating a surface for indirect prompt injection. An adversary could include malicious instructions within code comments or string literals to deceive the agent into performing unauthorized file modifications.\n - Ingestion points: The agent ingests data through the
Read,Grep, andGlobtools, as well as direct user input of code snippets.\n - Boundary markers: The prompt lacks explicit delimiters or instructions to ignore embedded commands within the code being refactored.\n
- Capability inventory: The agent has the ability to read and modify the filesystem using the
EditandReadtools.\n - Sanitization: No input validation or sanitization of the processed code is present to mitigate the risk of hidden instructions.\n- [COMMAND_EXECUTION]: The refactoring assistant is granted powerful file system tools (
Read,Grep,Glob,Edit) to modify the local codebase. While necessary for its function as a refactoring tool, these capabilities represent a high-impact surface that should be restricted to the intended repository environment to prevent misuse.
Audit Metadata