codemap
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is highly susceptible to Indirect Prompt Injection because it ingests untrusted data from the codebase being analyzed while possessing file-write and command-execution capabilities.
- Ingestion points: Multiple agents read files, manifests, and comments using tools like
cat,grep, andfind(via_rgand_finderhelpers). - Boundary markers: Absent. The prompts for the parallel agents do not use delimiters or provide instructions to ignore malicious embedded commands within the analyzed code.
- Capability inventory: The skill can create directories, write multiple markdown files, and perform Git operations (
git add,git commit). - Sanitization: Absent. Content from the codebase is processed and documented without filtering for malicious instructions.
- Data Exfiltration (HIGH): The skill specifically targets and documents sensitive information, which may lead to credential exposure.
- Evidence: The 'Tech Agent' guidelines explicitly instruct the agent to access
.env*files and search for secrets related to Stripe, Supabase, and AWS. - Risk: The discovered sensitive data is written to the
.planning/codebase/directory, and the skill encourages users to commit these files to version control, potentially leaking secrets into the repository history. - Command Execution (LOW): The skill uses several shell commands for orchestration.
- Evidence: Includes commands for directory creation (
mkdir -p), file verification (ls,wc), and Git management. - Note: While the commands are mostly scoped to a specific directory, the lack of input sanitization when agents interact with file content presents a theoretical path injection risk.
Recommendations
- AI detected serious security threats
Audit Metadata