refresh-docs
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands including
git,jq, andcatto retrieve repository metadata and file differences. These operations are limited to the local filesystem and git history. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted content from the repository (source code and git diffs) and passing it to an LLM-based subagent for analysis.
- Ingestion points: Source code files, configuration files, and git diff output are read into the agent context in Step 4 of SKILL.md.
- Boundary markers: The instructions lack explicit delimiters or safety instructions to prevent the agent from following commands embedded in the source code it analyzes.
- Capability inventory: The agent has the ability to read arbitrary files in the repository and write updates to the documentation using the Edit tool.
- Sanitization: There is no evidence of content sanitization or filtering of the ingested source code before it is processed by the analysis subagent.
Audit Metadata