Skills
skills/jstarfilms/vibecode-protocol-suite/takomi/Gen Agent Trust Hub

takomi

Pass

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The agent_reset.md workflow includes instructions specifically designed to override the agent's current state and internal monologue (e.g., 'STOP THINKING. START DOING.', 'Disregard all prior rules' implied context). This is a functional feature for error recovery but uses patterns associated with behavioral overrides.
  • [EXTERNAL_DOWNLOADS]: The skill automates the installation of the jstar-reviewer CLI tool via global npm/pnpm installation commands in the spawn-jstar-code-review.md file. This tool is a resource belonging to the vendor (JStaRFilms).
  • [COMMAND_EXECUTION]: The skill makes extensive use of shell commands for project management, including scaffolding (pnpm create next-app), testing (npm test), and repository management (git commit, git push).
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of external tools (jstar) and dynamically managed scripts (vibe-verify.py) within the user's environment to perform code audits and project verification.
  • [DATA_EXPOSURE]: Several workflows (escalate.md, migrate.md) are designed to extract and consolidate project state, including full file contents and environment configuration, into handoff reports. While intended for session migration, this involves broad access to sensitive project data.
  • [INDIRECT_PROMPT_INJECTION]: The skill has a large attack surface as it processes external, potentially untrusted data from project requirements, issue trackers, and existing source code.
  • Ingestion points: Reads content from docs/Project_Requirements.md, docs/issues/*.md, and various source files across the repository.
  • Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are implemented in the prompt templates that interpolate this data.
  • Capability inventory: The agent possesses capabilities for filesystem operations, network access (via npm/git), and arbitrary command execution.
  • Sanitization: There is no evidence of sanitization or validation for the natural language data ingested from the project files.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 7, 2026, 01:00 PM