progress-report
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill automatically executes project test suites (
cargo test,bun test) to gather metrics. This results in the execution of arbitrary code contained within the untrusted project being analyzed. - [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8). The skill ingests untrusted data from the repository (filenames, git logs, and metadata) and interpolates it directly into an HTML template.
- Ingestion points: Metric gathering commands in
SKILL.md(Step 2) extract strings from the local file system and git history. - Boundary markers: None. Data is directly embedded into the HTML structure.
- Capability inventory: The
agent-browsertool is used to render the generated HTML from the local file system (Step 5), which grants the rendered content potential access to thefile://protocol. - Sanitization: No sanitization or escaping of project-derived strings is performed. A malicious commit message or filename containing HTML/JS could execute within the browser context, potentially exfiltrating local files or performing unauthorized actions.
- [CREDENTIALS_UNSAFE] (LOW): Documentation in
SKILL.md(Step 3) provides example commands for hardcoding credentials (admin@example.com,password) into the agent's browser automation flow, encouraging unsafe credential handling practices.
Recommendations
- AI detected serious security threats
Audit Metadata