rules-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data (codebases) and transform that data into operational rules via
workflow-rule-from-codebase.md. This represents a high-risk capability tier where malicious comments or documentation in a codebase could influence the agent's core behavior. - Evidence Chain (Category 8):
- Ingestion points:
workflow-rule-from-codebase.mdreads external codebases; user feedback triggers rule changes. - Boundary markers: None specified in the SKILL.md definition.
- Capability inventory:
run_command,write_to_file,read_file(defined in allowed-tools). - Sanitization: None specified; the skill explicitly encourages 'Meta-Programming' (self-modification) based on this input.
- Dynamic Execution (HIGH): The skill explicitly defines 'Self-Correction & Learning' as 'Meta-Programming', allowing the agent to modify its own instructions at runtime. If an attacker can influence the input to these triggers, they can effectively rewrite the agent's operating logic.
- Command Execution (HIGH): The skill metadata explicitly authorizes the
run_commandtool. Given that the skill's logic involves executing workflows and standardizing context, there is a risk of this tool being misused by dynamically generated rules or workflows derived from untrusted sources.
Recommendations
- AI detected serious security threats
Audit Metadata