onboarding
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from repository files (READMEs, entry points, and configuration templates) to generate documentation.
- Ingestion points: The skill reads various files from the local repository in Phase 2, including
README.md, primary entry points, and.env.exampletemplates. - Boundary markers: The instructions do not specify the use of clear delimiters or markers to isolate ingested content from the agent's internal instructions.
- Capability inventory: The skill has the ability to read and write files, execute shell commands (
node,curl,jq), and perform network requests. - Sanitization: The skill explicitly instructs the agent to exclude secrets and only extract environment variable names from configuration files, which serves as a mitigation strategy against accidental data exposure.
- [DATA_EXFILTRATION]: The skill provides an option to upload the generated
ONBOARDING.mdcontent to an external domain (https://www.proofeditor.ai/share/markdown). While presented as a user-initiated option for collaboration, this involves transmitting synthesized repository data to a third-party service. - [COMMAND_EXECUTION]: The skill executes a bundled script (
scripts/inventory.mjs) using the localnoderuntime. It also utilizes shell utilities likecurlandjqto handle data exfiltration and formatting in Phase 5.
Audit Metadata