repo
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it ingests untrusted local source code and metadata then interpolates it directly into LLM prompts without sanitization.
- Ingestion points: Reads local files like package.json and source files (src/**/*.ts) via cat, find, and tree.
- Boundary markers: Absent; file content is placed directly into the prompt string without delimiters or instructions for the AI to ignore embedded commands.
- Capability inventory: Content is sent to the gemini CLI tool for analysis.
- Sanitization: Absent.
- DATA_EXFILTRATION (LOW): The skill transmits local codebase contents and structures to an external AI service.
- Evidence: Commands use the gemini CLI to send source code samples and directory trees to remote endpoints.
- Mitigation: This activity aligns with the skill's stated purpose of context bundling and utilizes a trusted provider (Google Gemini), which downgrades the risk.
- COMMAND_EXECUTION (SAFE): The skill utilizes common Unix utilities such as tree, jq, grep, and find to perform local repository analysis and mapping as part of its core functionality.
Audit Metadata