dry-consolidation
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted source code from the local project environment.
- Ingestion points: Project files are read using the Read, Grep, and Glob tools during the scanning and classification phases.
- Boundary markers: The instructions lack boundary markers or warnings to the agent to disregard instructions potentially embedded in the source code.
- Capability inventory: The agent has the ability to write to the filesystem (Write, Edit, MultiEdit) and execute commands (Bash), which could be leveraged if an injection is successful.
- Sanitization: No sanitization or validation logic is applied to the ingested code before it is used to guide the refactoring process.
- [COMMAND_EXECUTION]: The skill uses broad shell command permissions to identify project metadata and run test suites.
- Evidence: The allowed-tools section specifies several wildcard bash permissions including Bash(npx *), Bash(npm run *), and Bash(cargo *). Additionally, the Context section executes shell commands like find and echo to populate the agent context with directory structures and project types.
Audit Metadata