event-modeling
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to process untrusted data (external source code, unit tests, and comments) to extract domain logic and specifications. This creates a significant attack surface where malicious instructions embedded in code comments could influence the agent's behavior.
- Ingestion points:
SKILL.mdinstructions for 'Analyzing Existing Code' state the agent should 'Read the code to extract domain concepts' and 'Extract specs from unit tests and comments.' - Boundary markers: No delimiters or safety instructions are provided to help the agent distinguish between code logic and potentially malicious natural language instructions inside those files.
- Capability inventory: The skill has the permission to 'Write model artifacts to files' (e.g.,
docs/event-model.md) and 'invoke' other skills likebdd-with-approvalsandapproval-tests. - Sanitization: The instructions lack any requirement to sanitize, escape, or validate content extracted from the code before writing it to the filesystem or passing it to downstream tools.
- Command Execution (MEDIUM): The skill performs active file system operations and invokes other agent skills based on the results of its code analysis.
- Evidence:
SKILL.mddirects the agent to 'Write model artifacts to files' and 'invoke the bdd-with-approvals skill'. - Data Exposure (LOW): The skill is designed to read the user's local codebase. While no exfiltration logic was detected, the agent necessarily accesses sensitive implementation details to fulfill its purpose.
- External Downloads (LOW): The
credits.mdanddisclaimer.mdfiles link to an external GitHub repository (dilgerma/spring-petclinic-kotlin). These are informational links and do not involve automated downloads or runtime execution of remote scripts.
Recommendations
- AI detected serious security threats
Audit Metadata