watzup
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill employs strong imperatives such as "IMPORTANT" and "MUST FOLLOW" to define its internal workflow and ensure adherence to reasoning protocols. These are standard operational instructions and do not attempt to bypass core safety guardrails.- [PROMPT_INJECTION]: The skill contains a vulnerability surface for indirect prompt injection (Category 8).
- Ingestion points: The agent reads local file content and commit history through
git diffand file system access as part of the "Review" and "Doc Check" workflows. - Boundary markers: The skill lacks explicit delimiters or instructions for the agent to disregard embedded commands when processing these external file contents.
- Capability inventory: The skill has the capability to execute local commands (
git) and utilize workflow tools likeTaskCreateand/learn. - Sanitization: No input validation or content filtering is performed on the data retrieved from the repository.- [COMMAND_EXECUTION]: The skill executes the
gitcommand-line tool, specificallygit diff --name-only, to identify changed files within the local repository.- [DATA_EXFILTRATION]: The skill accesses files within project directories, including.claude/hooks/,.claude/skills/, andsrc/. While it performs read operations on these files, no network-based exfiltration patterns or outbound connections were identified.
Audit Metadata