zp
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the zp CLI and native backend commands such as container exec to manage files and execute tasks within isolated development environments.\n- [EXTERNAL_DOWNLOADS]: The bootstrapping process automatically clones repositories and executes an install.sh script from the vendor's dotfiles repository to configure new environments.\n- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection by design.\n
- Ingestion points: The agent is instructed to look for and read an AGENTS.md file within cloned repositories to acquire project-specific context and instructions.\n
- Boundary markers: The skill does not define explicit delimiters or warning instructions to prevent the agent from obeying potentially malicious commands embedded in project files or AGENTS.md.\n
- Capability inventory: The agent has broad system capabilities including executing shell commands, cloning external repositories, and running setup scripts.\n
- Sanitization: There is no evidence of sanitization, verification, or validation of the content retrieved from repositories before it is processed by the agent.
Audit Metadata