ghost-scan-code
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted source code from the repository being scanned. Specifically, the 'analyzer.md' and 'verifier.md' agents read full file contents to identify and confirm vulnerabilities. There are no boundary markers or specific instructions to disregard embedded malicious prompts within the analyzed files. An attacker could craft source code that contains instructions to manipulate the agent's behavior, such as producing false reports or using the available 'Write'/'Edit' tools to modify the repository maliciously.
- Ingestion points: 'prompts/analyzer.md' (Step 3: Read the candidate file) and 'prompts/verifier.md' (Step 3: Read the reported location).
- Boundary markers: Absent in sub-agent prompts.
- Capability inventory: Sub-agents have 'Read', 'Write', 'Edit', 'Glob', 'Grep', and 'Bash(mkdir:*)' capabilities as defined in 'scripts/loop.sh'.
- Sanitization: No sanitization or filtering of the read code content is performed before processing.
- [COMMAND_EXECUTION]: The skill uses the 'Bash' tool to perform repository environment setup, calculate unique identifiers based on the git remote URL, and execute a local processing script ('scripts/loop.sh'). While the commands observed in 'SKILL.md' are standard for the stated purpose, the use of 'Bash' combined with file modification tools ('Write', 'Edit') provides a significant capability surface that could be exploited if an injection occurred.
Audit Metadata