judgment-day
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it processes external data. It ingests content from a
skill-registry.mdfile and the target source code, then interpolates this untrusted data directly into the prompts of 'Judge' and 'Fix' sub-agents. - Ingestion points: Content is read from
skill-registry.md,.atl/skill-registry.md(viamem_search), and the user-defined target source code files. - Boundary markers: The sub-agent prompt templates use standard Markdown headers (e.g.,
## Target,## Project Standards) but lack explicit instructions to the sub-agents to ignore or treat embedded instructions within the data as non-authoritative. - Capability inventory: The orchestrator utilizes the
delegatetool to spawn sub-agents. Specifically, the 'Fix Agent' is tasked with modifying source code based on findings, which could be exploited if malicious instructions in the target code successfully poison the synthesized verdict. - Sanitization: There is no evidence of sanitization, escaping, or validation of the ingested source code or registry rules before they are injected into the delegation prompts.
- [COMMAND_EXECUTION]: The skill uses the
delegateanddelegation_readtools to execute logic via sub-agents and usesmem_searchto query project data. While these are legitimate tool usages for an orchestrator skill, they represent the execution of agentic capabilities based on the synthesized review results.
Audit Metadata