repo-audit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from repository files (READMEs, CHANGELOGs, source code comments) to determine which files to delete or modify.
- Ingestion points:
README,CHANGELOG,docs/*, source code comments, and YAML workload definitions. - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands in the processed data.
- Capability inventory: High-privilege file system operations including folder deletion (
data/templates/), file modification, and.envvariable removal. - Sanitization: None. The agent directly interprets NL descriptions in files as technical findings.
- [Data Exposure] (MEDIUM): The skill is designed to parse
.envfiles to find 'unused' variables. This forces the agent to handle raw secrets, which can lead to credential exposure in the 'Repo Audit Report' or session logs if placeholders are incorrectly identified. - [Integrity Risk] (MEDIUM): The 'Workflow' allows for automated application of 'Y/n' recommendations. If an indirect injection successfully creates a 'Low Risk' recommendation to delete a critical system file, a user pressing 'Enter' would unknowingly execute the attack.
Recommendations
- AI detected serious security threats
Audit Metadata