aif-docs
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the analysis of project-specific files. It specifically mandates reading
.ai-factory/skill-context/aif-docs/SKILL.mdand treats its contents as 'project-level overrides' that take priority over the skill's own instructions. If an attacker can modify these files or include malicious instructions in documented files like README.md, they can influence the agent's behavior. - Ingestion points: Project root markdown files,
.ai-factory/DESCRIPTION.md, and the mandatory.ai-factory/skill-context/aif-docs/SKILL.mdcontext file. - Boundary markers: Not present. The skill is instructed to adopt the context and instructions found in these files without explicit isolation.
- Capability inventory: The skill has permissions for
Write,Edit,Bash(mkdir, npx, python),WebFetch, andWebSearch. - Sanitization: No sanitization or validation of the ingested project data is performed before it is used to generate or modify documentation.
- [COMMAND_EXECUTION]: The skill requests access to powerful CLI tools including
npxandpythonvia theBashtool. While no explicit malicious payloads were detected in the provided files, the availability of these tools combined with the parsing of untrusted project data (e.g., executing documentation scripts via npx) represents a significant capability for remote code execution if the input data is manipulated.
Audit Metadata