aif-fix
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a high-risk surface for indirect prompt injection by design. It explicitly instructs the agent to read external files from the
.ai-factory/skill-context/directory and treat their contents as mandatory overrides that take priority over the skill's own instructions. - Ingestion points: The agent reads
.ai-factory/skill-context/aif-fix/SKILL.md,.ai-factory/DESCRIPTION.md, and the last 10 files from.ai-factory/patches/. - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are implemented when processing these files.
- Capability inventory: The skill has access to
Bash,Write,Edit, andTask(sub-agent execution) tools. - Sanitization: No sanitization or validation is performed on the content of these context files before they are adopted as instructional overrides.
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform file system operations, such as removing the fix plan (rm .ai-factory/FIX_PLAN.md) and creating directories (mkdir -p .ai-factory/patches). While these are standard operations for the skill's workflow, they represent a capability that could be misused if the agent is successfully injected via the indirect prompt injection surface described above.
Audit Metadata