docs-writer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is designed to read, review, and edit external content (files in
/docs,.mdfiles, and code inpackages/). This creates a significant surface for Indirect Prompt Injection. If an attacker submits a Pull Request containing malicious instructions hidden in documentation or code comments, the agent might follow those instructions when 'investigating' or 'auditing' the files. - COMMAND_EXECUTION (HIGH): The skill includes an explicit instruction in Phase 4 to execute
npm run format. While it requests user confirmation, a sophisticated prompt injection attack could be crafted to bypass this confirmation or manipulate the environment/scripts so thatnpm run formatexecutes malicious code (e.g., via a poisonedpackage.json). - DATA_EXFILTRATION (MEDIUM): By having the capability to read any file in the repository (Phase 2: Investigate) and potentially executing commands, there is a risk that sensitive data (like
.envfiles or credentials) could be read and then exfiltrated if the agent is further manipulated via injection. - INDIRECT PROMPT INJECTION (HIGH): Mandatory Evidence Chain:
- Ingestion points: Reads files from
/docs,packages/,CONTRIBUTING.md, anddocs/sidebar.json(SKILL.md, Phase 2). - Boundary markers: None. There are no instructions to ignore embedded commands or treat file content strictly as data.
- Capability inventory: Uses
replaceandwrite_filefor file system modifications (Phase 3) and executesnpm run formatvia a shell/subprocess (Phase 4). - Sanitization: None detected. The skill directly processes and acts upon the content it reads from the repository.
Recommendations
- AI detected serious security threats
Audit Metadata