agents-md-improver
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest instructions from repository files and 'consolidate' them. This is a high-risk pattern where an attacker could place malicious instructions in a repo file (e.g., via a Pull Request) that the skill then incorporates into the canonical AGENTS.md file.
- Ingestion points: Reads from
AGENTS.md,CLAUDE.md,.claude/CLAUDE.md, andGEMINI.md. - Boundary markers: None specified for the read content.
- Capability inventory: File read, file write (patching), file deletion, and symlink creation.
- Sanitization: No mention of sanitizing or filtering instructions retrieved from files.
- [Persistence] (HIGH): By design, this skill modifies the long-term behavior of the agent by editing instruction files. Any successful injection becomes a persistent 'backdoor' in the agent's logic for that repository.
- [Command Execution] (MEDIUM): The skill automates filesystem operations including file deletion and symlink creation. While it requests user confirmation, it lacks validation on the paths or targets beyond basic name checks.
- Evidence: 'Delete the file', 'Replace the file with a symlink pointing to AGENTS.md'.
Recommendations
- AI detected serious security threats
Audit Metadata