refactoring-playbook
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external data, specifically the source code and documentation (migration-plan.md) of the project being refactored. Ingestion points: The workers are instructed to read migration-plan.md, migration-status.md, and the target codebase. Boundary markers: There are no instructions to use delimiters or ignore embedded commands within the processed files. Capability inventory: The skill explicitly performs command execution (e.g., npm test) and file writing. Sanitization: No sanitization or validation of the processed code is mentioned, creating a vulnerability where the agent might follow instructions found within the code rather than its original directives.
- Command Execution (MEDIUM): The workflow relies on executing shell commands such as npm test and grep. Although these are standard tools for developers, their use in a context where the agent is actively processing and modifying external code increases the risk of malicious command injection if inputs are not strictly controlled.
Recommendations
- AI detected serious security threats
Audit Metadata