security-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is subject to Indirect Prompt Injection (Category 8) risks due to its requirement to process untrusted external data with high-privilege capabilities.\n
- Ingestion points: The skill triggers on any plan, implementation, or user-provided code, as defined in the YAML frontmatter of
SKILL.md.\n - Boundary markers: Absent. There are no instructions in
SKILL.mdto wrap the untrusted input in delimiters (like XML tags) or to ignore embedded instructions within the files being analyzed.\n - Capability inventory: The skill allows the agent to 'Implement the fix in the actual code' (Step 5) and 'agentically walk each attack path' (Step 4 and 6), giving it significant write and execution influence based on the input.\n
- Sanitization: Absent. No sanitization or validation logic is defined to prevent instructions within the processed code from being interpreted as commands by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata