refactor-clean
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to process external code provided via the
$ARGUMENTSvariable. - Ingestion Point: External source code provided for refactoring (SKILL.md).
- Capability Inventory: The instructions 'Apply changes in small slices' and 'Update tests and verify regressions' imply the agent has file-system write access and the ability to execute shell commands (test runners).
- Boundary Markers: There are no boundary markers or instructions to ignore embedded commands within the data being processed.
- Sanitization: No sanitization or validation of the input code is performed.
- Risk: An attacker could embed malicious instructions in comments or string literals within the code provided for refactoring, which could then be executed by the agent during the file-writing or testing phases.
- Command Execution (HIGH): The instruction to 'Update tests' implies the execution of arbitrary test suites located in the user's environment.
- Risk: If an indirect prompt injection succeeds, the agent could be tricked into running malicious scripts disguised as unit tests, leading to local code execution.
- External Source (LOW): The skill originates from an untrusted third-party repository (
github.com/sickn33/antigravity-awesome-skills), which has not been verified for safety or supply chain integrity.
Recommendations
- AI detected serious security threats
Audit Metadata