audit
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection (Category 8) by design. It explicitly instructs the agent to discover 'intent' from untrusted data in the audited codebase and use that intent to cross-reference and potentially suppress audit findings. An attacker could place malicious instructions in code comments or documentation files to manipulate the audit outcome.
- Ingestion points: The skill reads every line of code within the user-defined scope, all documentation files project-wide (including agent instruction files like CLAUDE.md), and the git commit history.
- Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are mentioned for the processing of codebase content.
- Capability inventory: The skill can read any file in the project, execute shell commands (specifically
git log), and write markdown reports to the project root. - Sanitization: There is no evidence of sanitization or filtering of the content ingested from the codebase before it influences the agent's audit decisions.
- [COMMAND_EXECUTION]: The skill utilizes a 'History Scanner' subagent to execute the
git logcommand on in-scope files. While this is a common requirement for a code auditing tool to understand change rationale, it involves executing subprocesses on repository data that may be untrusted.
Audit Metadata