security-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection. The skill is designed to ingest and analyze untrusted external data such as source code, infrastructure configurations, and security scan results as specified in the 'Core Workflow' and 'Knowledge Reference'. Because the skill is granted
Bashtool access, a malicious actor could embed instructions within the analyzed code or documentation to hijack the agent's logic and execute unauthorized commands. - Ingestion points: Source code, infrastructure configs, and vulnerability patterns processed during audits.
- Boundary markers: Absent; there are no instructions for the agent to treat external content as untrusted or to use delimiters.
- Capability inventory:
Bash,Read,Grep,Globtools provide full shell and filesystem access. - Sanitization: Absent; the skill lacks validation or filtering instructions for external data before it influences tool usage.
- [COMMAND_EXECUTION] (MEDIUM): High-privilege tool availability. The explicit inclusion of
Bashin theallowed-toolslist for 'active testing' and 'exploitation' provides a broad attack surface. While 'MUST NOT' constraints are provided (e.g., 'Test on production systems without authorization'), these are natural language instructions that cannot technically prevent the agent from being manipulated into performing harmful actions on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata