fix-bug
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The skill explicitly instructs the agent to search for existing projects in
D:\Projects\*. This is a broad path that may contain sensitive data, credentials, or unrelated private projects. Accessing files outside the immediate workspace environment without explicit user boundaries for each execution increases the risk of unauthorized data access. - Indirect Prompt Injection (HIGH): The skill possesses a HIGH capability tier (Bash, Write, Edit) and processes untrusted data (bug descriptions and existing source code).
- Ingestion points: User input from
/fix-bug [args]and content from files read via theReadandGreptools. - Boundary markers: None. There are no instructions to the agent to treat external file content as untrusted or to isolate it from instruction processing.
- Capability inventory:
Bash(arbitrary command execution),Write/Edit(file system modification), andGrep/Glob(information gathering). - Sanitization: None. The skill does not provide any logic to sanitize or validate the content of the bugs it is fixing before using that content to drive its execution flow.
- Command Execution (HIGH): The skill's 'Layout Restoration Pattern' directs the agent to execute git commands (
git log,git show) based on user requests to 'restore' or 'add back' features. An attacker could potentially use this to trigger command injection if the file names or commit references are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata