refactoring-expert
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process external code for refactoring purposes. Because it lacks boundary markers or sanitization, it is highly susceptible to indirect prompt injection where malicious instructions are embedded within the code being analyzed.
- Ingestion points: Code snippets or files provided by the user for refactoring analysis (SKILL.md).
- Boundary markers: Absent; the instructions do not specify how to distinguish between user-provided code and agent instructions.
- Capability inventory: Access to
bashandgittools (SKILL.md 'allowed-tools'). These allow for full system command execution and repository modification. - Sanitization: Absent; the skill is instructed to 'run tests' and 'make changes' without verifying the safety of the content it is processing.
- Command Execution (HIGH): The skill explicitly allows the use of
bash. When combined with the instruction to 'Run tests after each small change', this creates a vector where an attacker provides code containing malicious test scripts or side-channel commands that the agent will execute in the user's environment.
Recommendations
- AI detected serious security threats
Audit Metadata