research-codebase
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute various shell commands and CLI tools, including
git(for metadata),date,basename,gh(GitHub CLI), andbunxto run@playwright/cli. - [DYNAMIC_CONTEXT_INJECTION]: The skill provides a template for research documents that uses the
!commandsyntax (e.g.,!date..., `!`git...). If the execution environment evaluates these markers upon file creation or subsequent reading, it allows for dynamic shell command execution within the generated files. - [EXTERNAL_DOWNLOADS]: The skill uses
curlandplaywright-clito fetch data from arbitrary external URLs provided in the research query or discovered during codebase analysis, including searching forllms.txtand markdown versions of documentation. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: External web content fetched via
curl/playwright-cliand local codebase files read viareadFile(SKILL.md). - Boundary markers: The instructions do not define delimiters or specific "ignore instructions" wrappers for the ingested content.
- Capability inventory: The skill and its sub-agents have capabilities for file reading (
readFile), network access (curl/playwright), file writing (TodoWrite), and spawning additional task agents. - Sanitization: There is no mention of sanitizing, escaping, or validating the content fetched from the web or read from the codebase before it is processed by the LLM for synthesis.
- [DATA_EXFILTRATION]: While intended for research, the capability to read any file in the codebase (
readFilewithout limits) combined with the ability to perform network operations (curl) creates a standard pattern for potential data exfiltration if the agent is misled by malicious data.
Audit Metadata