researching-codebases
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill presents a high surface area for indirect prompt injection (Category 8) as it is designed to ingest and process untrusted data from multiple sources.
- Ingestion points: External data enters the context via
scripts/read-research.py, thereadtool in sub-agents, and thewebfetchtool in theweb-searcheragent. - Boundary markers: No specific delimiters or "ignore previous instruction" markers are defined for isolating processed content.
- Capability inventory: The skill possesses file write permissions (
todowrite,promote-research.py), local command execution (gather-metadata.py), and network access (webfetch). - Sanitization: No sanitization or filtering of external markdown or code content is implemented before it is processed by the agents.
- [COMMAND_EXECUTION]: The
scripts/gather-metadata.pyscript usessubprocess.runto execute localgitcommands. While the command list is static, it interacts directly with the local environment to retrieve repository configuration. - [DATA_EXFILTRATION]: The skill gathers Git metadata, including potentially sensitive repository remote URLs. The
web-searchercomponent'swebfetchtool provides a potential channel for data transmission to external domains, although it is a primary functional requirement. - [EXTERNAL_DOWNLOADS]: The
web-searcheragent fetches content from external web sources. This involves retrieving and processing data from potentially untrusted third-party domains.
Audit Metadata