warden
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The
warden add --remoteandwarden synccommands allow the tool to fetch instructions from external GitHub repositories. These skills define agent behavior and tool access (includingBash,Write, andEdit). Fetching skills from untrusted or unpinned remote sources creates a pathway for remote instruction injection. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted data from local repositories. 1. Ingestion points: File contents and git diffs provided as targets to the
wardencommand. 2. Boundary markers: The documentation does not specify the use of delimiters or instructions to ignore embedded commands in analyzed files. 3. Capability inventory: Reviewed skills can be granted broad permissions includingBash,Write,Edit, and network access. 4. Sanitization: No sanitization or filtering of analyzed code content is documented. - COMMAND_EXECUTION (LOW): The skill's core functionality relies on executing the
wardenCLI and potentially other shell commands to perform analysis and apply fixes, which is the intended use case for this development tool.
Audit Metadata