entropy
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's instructions make extensive use of the
Bashtool with unquoted placeholders such as{domain_name},{PR_NUMBER}, and{domain_slug}within shell commands. This pattern presents a command injection risk if these variables are populated with malicious shell metacharacters. - [COMMAND_EXECUTION]: The skill relies on the
GH_TOKENenvironment variable to authenticategh(GitHub CLI) commands for querying pull request files, listing issues, and creating new issues in repositories. - [EXTERNAL_DOWNLOADS]: The skill fetches metadata and file SHAs from the vendor's own GitHub repositories, such as
fellowship-dev/spec-kit, to identify architectural drift. These references are consistent with the skill's stated purpose for the fellowship-dev environment. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it reads content from local repository files and incorporates that data into its logic and reporting output.
- Ingestion points: File content from
docs/code-structure.md,ARCHITECTURE.md,QUALITY_SCORE.md, and various coverage report files (e.g.,coverage/index.html). - Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands when processing ingested file content.
- Capability inventory:
Bashtool for command execution,Writetool for updating local documentation, and GitHub CLI for remote issue management. - Sanitization: No explicit sanitization or validation of the external file data is implemented before it is processed or interpolated into subsequent commands.
Audit Metadata