bugfix
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is critically exposed to indirect prompt injection from untrusted external data.\n
- Ingestion points: Reads codebase files, error logs, and stack traces (Phase 1.4, 3.1) and processes user-provided symptoms ($ARGUMENTS).\n
- Boundary markers: None. There are no delimiters or instructions to ignore embedded commands in the files it reads.\n
- Capability inventory: Powerful write and execute permissions including file modification (Phase 5.2), creating new test files (Phase 4.1), and executing shell commands like 'npm test', 'npm run lint', and 'git log' (Phase 3.1, 5.3).\n
- Sanitization: None. The skill assumes all content read from the project is benign.\n- Command Execution (MEDIUM): The skill executes scripts defined in the local environment, such as 'npm test' and 'npm run lint'. If the codebase being debugged is malicious, these commands can serve as vectors for arbitrary code execution on the host system via the project's 'package.json'.\n- Data Exposure (LOW): The skill writes detailed investigation logs, which might contain sensitive code snippets or environment details, to the shared '/tmp' directory (Phase 1.2), making them potentially accessible to other users on the system.
Recommendations
- AI detected serious security threats
Audit Metadata