loose-ends
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted file content and presents it directly to the agent's context, creating a significant attack surface. \n
- Ingestion points:
scripts/sweep.pyand variousgrepcommands inSKILL.mdread file content from the local codebase. \n - Boundary markers: Absent; results are displayed as plain markdown without delimiters or 'ignore' instructions. \n
- Capability inventory: The skill allows the agent to use
bash,python, andgit, providing a high-impact set of tools if the agent is subverted by malicious input. \n - Sanitization: None; the skill does not filter or escape contents of the scanned
TODOorconsole.loglines. \n- EXTERNAL_DOWNLOADS (LOW): The skill usesnpx tsc --noEmit. Whilenpxcan download and execute remote packages,typescriptis maintained by Microsoft, a trusted source. Per [TRUST-SCOPE-RULE], this download risk is downgraded to LOW, although it remains a runtime dependency. \n- COMMAND_EXECUTION (LOW):scripts/sweep.pyusessubprocess.runto executergorgrep. While it correctly uses argument lists to mitigate shell injection, the skill relies on executing external system utilities to perform its primary function.
Recommendations
- AI detected serious security threats
Audit Metadata