grimoire-vm
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and interpret external '.spell' files, which provides a surface for instructions embedded in data to override agent behavior.
- Ingestion points: The skill reads spell source from file paths or inline text provided by users.
- Boundary markers: The instructions lack specific delimiters or instructions for the agent to ignore natural language prompts found within the spell content.
- Capability inventory: The skill explicitly maps DSL actions to powerful financial tools (e.g.,
swap,lend,borrow,bridge) which could be abused if the agent is manipulated by a malicious spell file. - Sanitization: There is no evidence of sanitization or strict schema validation for the ingested spell text beyond 'best-effort' parsing.
- [Command Execution] (SAFE): The provided maintenance script
scripts/sync-references.shperforms local file operations (mkdir, cat, sed) to sync documentation. While it manipulates files based on relative paths, it does not download external content or execute arbitrary user-provided commands.
Audit Metadata