expert-code-refactoring
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect prompt injection via the source code it refactors. 1. Ingestion points: The skill reads external project files and tests as its primary input. 2. Boundary markers: The instructions lack explicit delimiters or warnings to ignore instructions embedded within the code comments or strings of the processed files. 3. Capability inventory: The agent is authorized to modify the filesystem (refactoring) and execute arbitrary code (running existing tests). 4. Sanitization: There is no process defined to sanitize or validate the external code before it is interpreted by the agent.
- Command Execution (HIGH): The workflow explicitly requires the agent to 'run existing tests' to verify stability. In a compromised or malicious repository, the test suite itself can contain arbitrary malicious commands that would be executed with the agent's privileges.
Recommendations
- AI detected serious security threats
Audit Metadata