context-discovery
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to read and follow instructions from local project files that may be attacker-controlled.
- Ingestion points: Markdown files such as code-quality.md and security-patterns.md located within the resolved context_root.
- Boundary markers: No delimiters or safety instructions are provided to distinguish ingested context from the agent's core instructions.
- Capability inventory: The agent is directed to apply these discovered patterns to implementation tasks and pass them to subagents.
- Sanitization: No validation or sanitization of the content within the discovered files is performed before adoption.
- [DATA_EXFILTRATION]: The discovery protocol allows the context_root to be defined via a .oac.json file or discovered through a chain of glob patterns. This mechanism can be exploited for path traversal if a malicious configuration points the agent to sensitive directories (e.g., home directory paths) that contain a navigation.md file, potentially leading to unauthorized data access.
Audit Metadata