ds-fix
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Uses shell commands (
ls) to dynamically discover and resolve file paths for shared constraints and sub-skills within the author's local plugin cache (~/.claude/plugins/cache/edwinhu-plugins/). This is a legitimate mechanism for managing versioned vendor resources. - [PROMPT_INJECTION]: The skill processes potentially untrusted data (reviewer feedback, error tracebacks, and data profiles) while possessing significant capabilities, creating an indirect prompt injection surface.
- Ingestion points: Processes external inputs such as data distribution profiles, traceback error messages, and free-text reviewer comments in the 'Diagnose' and 'Revision Protocol' steps.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when passing contextual data to the investigation sub-agents.
- Capability inventory: Includes local shell execution, multi-file reading, and the ability to spawn and orchestrate multiple sub-agents via
TeamCreateandSendMessage. - Sanitization: No sanitization or validation of external data is evident before it is interpolated into prompts for the hypothesis-investigation agents.
Audit Metadata