security-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) because it uses untrusted repository content as primary input while having high-privilege capabilities. 1. Ingestion points: Identifies frameworks and rules by inspecting the project repository and documentation files (SKILL.md). 2. Boundary markers: No markers exist to delineate untrusted data from the skill's instructions. 3. Capability inventory: Writing report files and performing Git commits to the user's codebase (SKILL.md). 4. Sanitization: None. The 'Overrides' section instructions to 'not fight' with project-specific documentation effectively allows an attacker to control agent behavior via embedded documentation instructions.
- COMMAND_EXECUTION (MEDIUM): The skill is directed to perform Git commits and execute 'testing flows' as part of its fix workflow (SKILL.md). This poses a risk if these operations are influenced by malicious instructions in the analyzed codebase.
Recommendations
- AI detected serious security threats
Audit Metadata