aif-rules
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions in Step 0 (Load Skill Context) mandate that the agent read and prioritize rules from .ai-factory/skill-context/aif-rules/SKILL.md. It explicitly states that these rules should be treated as project-level overrides and that the skill-context rule wins even if it contradicts the general instructions. This behavior establishes a significant indirect prompt injection surface where files in the local project directory can hijack the agent's logic.
- [PROMPT_INJECTION]: The skill appends user-provided or context-derived rules to .ai-factory/RULES.md, which is then automatically loaded by other capabilities like /aif-implement. This creates a supply chain risk where the output of this skill can poison the configuration and behavior of downstream agent tasks.
- [PROMPT_INJECTION]: Mandatory Evidence Chain: 1. Ingestion points: .ai-factory/skill-context/aif-rules/SKILL.md (read during initialization) and .ai-factory/RULES.md (read during rule addition). 2. Boundary markers: Absent; instructions encourage total obedience to external context without delimitation. 3. Capability inventory: Read, Write, Edit, Glob, Grep across workspace files. 4. Sanitization: Absent; the skill performs no validation or escaping of the rules read from or written to the project files.
Audit Metadata