refactor
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes external data which could contain malicious instructions.
- Ingestion points: Data enters the agent context through the
$ARGUMENTSvariable and via the content of the source code files selected for refactoring. - Boundary markers: The prompt lacks clear delimiters or explicit instructions to distinguish between the refactoring logic and the content of the data being processed.
- Capability inventory: The skill allows the agent to modify files on the filesystem and execute arbitrary shell commands to run test suites.
- Sanitization: There is no evidence of sanitization, escaping, or validation of the input code before it is interpreted or the tests are executed.
- [COMMAND_EXECUTION]: The instructions require the agent to "Verify existing tests pass" and "Run tests after each step." This necessitates the execution of local shell commands (e.g., npm test, pytest). While this is the primary purpose of the skill, it represents a significant capability that could be leveraged by an attacker if an indirect prompt injection occurs.
Audit Metadata