prime
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to load untrusted data from the codebase into the agent's context. If a repository contains a malicious
README.mdor files in@ai_docs/, an attacker can embed instructions to override the agent's system prompt. - Ingestion points:
README.md,ai_docs/cc_hooks_docs.md, andai_docs/uv-single-file-scripts.mdvia the@file reference syntax. - Boundary markers: Absent. There are no delimiters or instructions telling the agent to treat the ingested file content as data rather than instructions.
- Capability inventory: The skill uses
git ls-filesandezafor discovery, but as a 'session primer,' it sets the stage for a coding agent which typically possesses file-write and command-execution capabilities, making the injection surface critical. - Sanitization: None. The content is passed raw to the agent.
- Command Execution (LOW): The skill executes
git ls-filesandeza . --tree. These are standard discovery commands for mapping a directory structure and do not present a high risk on their own, but they are executed shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata