spec-update
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). Ingestion points: The skill reads untrusted content via
git diff,git log, andgrepacross the repository as seen in Phase 1 and Phase 4 of SKILL.md. Boundary markers: None are specified to separate untrusted code content from agent instructions. Capability inventory: The skill usesBash,Write,Edit, andTasktools, which provides a high-impact execution surface if the agent is manipulated. Sanitization: No sanitization or filtering of implementation content is performed before processing. - COMMAND_EXECUTION (HIGH): The skill utilizes the
Bashtool to execute discovery and verification scripts. While the scripts in SKILL.md use standard git/grep commands, the combination of executing shell commands on untrusted repository data (like filenames or commit messages) poses a risk of command injection if the agent's logic is subverted by malicious repository content.
Recommendations
- AI detected serious security threats
Audit Metadata