context-optimization
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to read and process external data (codebase files, memory entities) and act upon them using high-privilege tools. An attacker could place malicious instructions in a file or a memory entry that the agent reads, leading to unauthorized actions.
- Ingestion points: Uses
Read,Grep, andmcp__memory__search_nodesto ingest data from the local filesystem and the memory tool. - Boundary markers: None. There are no instructions provided to the agent to treat external content as untrusted or to ignore embedded instructions within files or memories.
- Capability inventory: Allows use of
Bash,Write,Edit, andmcp__memory__*tools. These provide full capability to execute arbitrary commands, modify files, and manipulate persistent memory. - Sanitization: None. The skill does not define any validation or filtering for the content retrieved from external sources before it is used in decision-making or tool calls.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly grants access to the
Bashtool in theallowed-toolssection. While useful for development, this capability can be abused via indirect prompt injection to execute malicious scripts or exfiltrate data if the agent encounters instructions in the codebase it is analyzing.
Recommendations
- AI detected serious security threats
Audit Metadata