ce-proof
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads local markdown files and uploads their contents to
https://www.proofeditor.aifor sharing. This transmits local data to an external service that is not part of the standard whitelisted domains. - [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to orchestrate complex sequences ofcurlrequests,jqdata processing, and local file system operations likemvandmktemp. - [PROMPT_INJECTION]: The skill's human-in-the-loop review mode in
references/hitl-review.mdcreates a surface for indirect prompt injection. Specifically, Phase 2.3 instructs the agent to treat 'imperatives' found in user-authored comments (marks) as actionable commands to be executed directly, such as 'rename X to Y' or 'remove this'. - Ingestion points: Untrusted data is ingested from the
/api/agent/{slug}/stateendpoint inreferences/hitl-review.md. - Boundary markers: There are no markers or instructions provided to the agent to distinguish between data and instructions within the comments.
- Capability inventory: The agent has the ability to write to the local file system (
Write) and execute shell commands (Bash), which can be triggered by these external comments. - Sanitization: No sanitization or validation logic is specified for the feedback ingested from the external service before the agent acts upon it.
Audit Metadata