build-feature
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface by ingesting untrusted data and having high-privilege capabilities.
- Ingestion points: Accesses project files in
D:\Projects\*, library files in.claude/library/, and git history viagit logandgit showcommands. - Boundary markers: Absent. The skill does not instruct the agent to ignore instructions found within the files or history it reads.
- Capability inventory: The skill is granted access to
Bash,Write,Edit, andReadtools, allowing it to execute arbitrary commands and modify the filesystem based on ingested content. - Sanitization: Absent. No validation of the ingested code or git history is performed before processing.
- Obfuscation (MEDIUM): The "VCL COMPLIANCE APPENDIX" uses a non-standard tagging system (e.g.,
[[HON:teineigo]],[[MOR:root:PA]]). This serves as a layer of obfuscation that hides specific instructional intent from human reviewers. - Data Exposure (MEDIUM): The skill explicitly directs the agent to access
D:\Projects\*. This broad, hardcoded access path increases the risk of sensitive data exposure if the agent is misled by a prompt injection or malicious project file. - Command Execution (HIGH): The skill leverages the
Bashtool and provides specific instructions for executing shell commands. When combined with the instructions to "Apply proven patterns" from historical code, this creates a path for executing logic derived from potentially untrusted sources.
Recommendations
- AI detected serious security threats
Audit Metadata