run
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core function involves processing untrusted codebase content.
- Ingestion points: The skill reads project manifests and the entire codebase (Phase 3 and 4) and passes them to sub-agents. It also reads potentially tainted scanner JSON results (Phase 5).
- Boundary markers: Sub-agent prompts use labels like 'FILES:' to separate instructions from data, but do not implement robust sanitization or escaping to prevent embedded instructions from influencing the LLM.
- Capability inventory: Sub-agents have the ability to read and write files and use globbing. The main orchestrator has shell access via Bash.
- Sanitization: No explicit sanitization or instruction-filtering is performed on the codebase data before it is processed by the LLMs.
- [COMMAND_EXECUTION]: The skill dynamically generates and executes shell commands for security analysis.
- Evidence: Phase 2 executes multiple security scanners including semgrep, gitleaks, and trivy via Bash. These are well-known tools and their execution is central to the skill's primary purpose.
Audit Metadata