cartographer
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill uses the shell command
findduring Phase 1 (Reconnaissance) to map the directory structure. While used for discovery, it involves spawning a subprocess which can be a vector if path arguments were user-controlled. - **PROMPT_INJECTION (MEDIUM
- Indirect):** The skill processes untrusted content by reading source code files in the codebase (Phase 2). This creates a vulnerability to Indirect Prompt Injection where malicious instructions embedded in code comments could manipulate the agent's reasoning or the content of the generated
CODEBASE_MAP.md. - Ingestion points: Phase 2 reads entry point files from major directories (e.g.,
app/,lib/). - Boundary markers: Absent; there are no instructions to the agent to distinguish between code and embedded natural language instructions.
- Capability inventory: File reading, shell command execution (
find), and file writing (docs/CODEBASE_MAP.md). - Sanitization: Absent; the content is synthesized into a new document without explicit filtering of malicious payloads.
- UNVERIFIABLE_LOGIC (MEDIUM): The skill's workflow depends on external files
references/inspection-rubric.mdandreferences/map-template.md. These files are not provided in the skill manifest, meaning the actual logic used to 'inspect' the code is hidden and could contain malicious instructions or prompt overrides.
Audit Metadata