code-fragment-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core functionality of processing untrusted data with high-privilege capabilities.
- Ingestion points: As described in the 'Working Flow', the skill uses 'Explore', 'Glob', and 'Read' tools to ingest external, untrusted source code from user-provided directories.
- Boundary markers: The instructions lack any boundary markers or system-level warnings to disregard instructions embedded within the processed code (e.g., malicious comments designed to hijack the agent's logic).
- Capability inventory: The skill has the capability to write multiple files to the filesystem (template files and an index.md) based on the content it extracts.
- Sanitization: There is no evidence of sanitization or escaping of the extracted code before it is written to the
./fragment-extractordirectory, creating a risk that malicious payloads could be 'dropped' onto the system. - [COMMAND_EXECUTION] (MEDIUM): The skill performs automated file system operations (creation and organization) based on external input. Without strict path validation, this could be exploited via path traversal if an attacker-controlled file suggests a functional name like '../../hidden_config'.
Recommendations
- AI detected serious security threats
Audit Metadata