miloya-codebase
Warn
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is a data ingestion engine that processes untrusted project files to create repository snapshots, creating a surface for indirect prompt injection.\n
- Ingestion points:
scripts/generate.pyrecursively scans the user-provided project directory.\n - Boundary markers: The skill outputs structured JSON, but lacks strong boundaries to prevent the agent from obeying malicious instructions embedded in the project files.\n
- Capability inventory: File system access (read/write) and execution of system commands via
subprocess.\n - Sanitization: Performs basic comment stripping in
scripts/context_engine/analyzers.py, which is insufficient for preventing prompt injection in strings or documentation.\n- [REMOTE_CODE_EXECUTION]: The skill performs dynamic library loading from paths within the target project being analyzed.\n - Evidence: In
scripts/context_engine/ts_ast_bridge.js, the code usesrequire.resolveto find and load thetypescriptpackage from the localnode_modulesof the scanned project. A malicious project could provide a compromised version of this library.\n- [COMMAND_EXECUTION]: The skill executes external system commands using thesubprocessmodule.\n - Evidence:
scripts/generate.pyandscripts/context_engine/external_context.pyexecutegitcommands to collect metadata.scripts/context_engine/analyzers.pyexecutesnodeto run a local analyzer script.
Audit Metadata