refactoring-surgeon
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection because it processes untrusted external content (source code) and has the capability to perform side-effect operations.
- Ingestion points: The agent is instructed to read and process external code files using the
ReadandEdittools (SKILL.md). - Boundary markers: The skill lack markers or explicit instructions to ignore embedded natural language commands within the code being refactored.
- Capability inventory: The skill has permissions for
Write,Edit, andBash(specificallynpm,git, andlintcommands), which could be subverted by malicious instructions in a target file. - Sanitization: No sanitization or validation logic is present to filter out non-code instructions during processing.
- [Command Execution] (LOW): The file
scripts/validate-refactoring.shperforms local command execution. - Evidence: The script utilizes
find,grep,wc,sort,uniq, andgitto analyze the local codebase. - Risk Assessment: These operations are restricted to the current directory, do not access sensitive system paths (e.g.,
~/.ssh), and do not perform network requests. The risk is considered LOW/INFO as it aligns with the skill's stated purpose of local code analysis.
Recommendations
- AI detected serious security threats
Audit Metadata