Skills
skills/itshalffull/concept-oriented-programming-framework/concept-scaffold-gen/Gen Agent Trust Hub

concept-scaffold-gen

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform scaffolding, checking, and testing operations through commands like clef scaffold concept, npx tsx, and npx vitest. These commands are expected for the skill's primary purpose but involve executing shell processes.\n- [PROMPT_INJECTION]: There is an indirect prompt injection surface where user-provided arguments (such as concept name, purpose, and action descriptions) are interpolated into generated .concept files. This could potentially influence downstream processes if those files are interpreted by other AI agents.\n
  • Ingestion points: SKILL.md arguments including $2 (purpose), $3 (stateFields), and $4 (actions) which accept free-form strings.\n
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the generation logic.\n
  • Capability inventory: Access to Bash and Write tools for generating and validating the specification files.\n
  • Sanitization: The skill does not document any sanitization or validation logic for the content of the user-provided arguments before they are written to disk.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 03:48 PM