cartography
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill exhibits a significant attack surface for indirect prompt injection by processing untrusted data with write capabilities.
- Ingestion points: The workflow involves analyzing arbitrary repository structures and reading code files as seen in Steps 2 and 4 of SKILL.md.
- Boundary markers: There are no specified delimiters or instructions for the AI to ignore instructions embedded within the codebase files being analyzed.
- Capability inventory: The skill explicitly grants write permissions for 'codemap.md' files across the repository to its sub-agents.
- Sanitization: No sanitization or validation of the ingested repository content is performed before it is passed to the agents for summarization.
- Command Execution (LOW): The skill executes a local Python script 'cartographer.py'.
- Evidence: Steps 2 and 3 use 'python3' to run a script located in the skill's configuration directory at '~/.config/opencode/skills/cartography/scripts/'. This is considered low risk as it targets a local script provided as part of the skill's own package.
Recommendations
- AI detected serious security threats
Audit Metadata