start-refactor-task
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to run 'uvx skilllint@latest', which triggers the download of the skilllint package from a public registry (PyPI) at runtime.
- [REMOTE_CODE_EXECUTION]: By using 'uvx skilllint@latest', the skill executes code downloaded from a remote source. This is an unverifiable dependency pattern from a non-trusted source.
- [COMMAND_EXECUTION]: The skill directs the agent to execute shell commands, including 'uvx' and file deletion ('DELETE the file'). These operations are performed on paths and components specified in external task files, which may be manipulated.
- [PROMPT_INJECTION]: The skill relies on external 'task files' and 'design specs' to define its refactoring logic, creating an indirect prompt injection surface.
- Ingestion points: The file path provided in arguments and the design spec linked within that file.
- Boundary markers: No boundary markers or 'ignore' instructions are used when reading external file content.
- Capability inventory: The skill has extensive permissions, including file read, write, and delete operations, directory creation, and shell command execution via uvx.
- Sanitization: No sanitization or validation of the external task instructions is performed.
- [DATA_EXFILTRATION]: The combination of the ability to read any local file (as instructed by a task file) and the execution of external code from a public registry (via uvx) creates a potential exfiltration path for sensitive local data.
Audit Metadata