csharp-test-develop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Vulnerable to Indirect Prompt Injection through untrusted source code ingestion.
- Ingestion points: The skill reads C# files (e.g.,
src/Services/OrderService.cs) and interpolates the analysis results or content into a sub-agent prompt. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the Phase 2 Task prompt.
- Capability inventory: The sub-agent has
Write,Edit, andBashcapabilities, allowing it to modify files or execute system commands if manipulated. - Sanitization: No filtering or sanitization of the source code content is performed before processing.
- COMMAND_EXECUTION (HIGH): The skill allows execution of
Bash(node *)andBash(dotnet test *). While scoped, thedotnet testcommand will execute any code written to the test files. If the sub-agent is compromised via Indirect Prompt Injection, it can write malicious C# code that executes arbitrary system commands when the orchestrator runs the verification phase. - EXTERNAL_DOWNLOADS (MEDIUM): Phase 0 relies on a local script
skills/csharp-tdd-develop/scripts/test-detector.js. This creates a cross-skill dependency where the security of this skill is tied to the integrity of another skill's scripts. - DYNAMIC_EXECUTION (MEDIUM): The skill follows a pattern of 'generate then execute' where C# code is written to the filesystem and then executed via the .NET CLI. This is a standard workflow for testing but poses a high risk if the generation phase is influenced by malicious input.
Recommendations
- AI detected serious security threats
Audit Metadata