code-reader
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the cloning of external source code from GitHub repositories to a local directory for analysis. This behavior is consistent with the skill's stated purpose of reading and documenting codebases.- [COMMAND_EXECUTION]: Executes shell commands including
git cloneandgit tagto manage the source repository and detect versioning information. These commands are localized to the repository management workflow and do not involve administrative or persistent system changes.- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it ingests and processes untrusted data (external source code) through multiple LLM subagents. \n - Ingestion points: Files are read from the target module directory (
{module-dir}) and source repository ({source-dir}) during the tech-writer and qa-engineer phases. \n - Boundary markers: The prompts do not utilize explicit security delimiters (like XML tags or specific guardrail tokens) to isolate the untrusted code content from the instructions. \n
- Capability inventory: The skill has the ability to read files, clone repositories, and write documentation to the local filesystem. \n
- Sanitization: There is no evidence of content sanitization or instruction filtering performed on the source code before it is passed to the subagents.
Audit Metadata