clean-code-inspector
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting external content (code diffs) and passing it to sub-agents.
- Ingestion points: The sub-agent task prompt interpolates file content fetched via
git diff -- [파일]. - Boundary markers: Absent. The sub-agent prompt lacks delimiters (e.g., XML tags or triple quotes) to separate instructions from the code being analyzed.
- Capability inventory: The skill can spawn sub-agents ('general-purpose'/'sonnet'), execute shell commands (
git), and write files to the project root (clean-code-inspect-result.md). - Sanitization: Absent. There is no filtering or instruction to the sub-agent to ignore natural language commands embedded in code comments.
- Command Execution (LOW): The skill uses
git statusandgit diffto inspect the local environment. While these are necessary for the skill's functionality, they interact directly with the host filesystem and repository state. - Metadata Deception (LOW): The skill uses strong imperative language ('CRITICAL: You must evaluate...') to enforce its internal framework. While not a safety bypass, this style of instruction is often used in prompt injection patterns.
Recommendations
- AI detected serious security threats
Audit Metadata