using-devops-skills
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill uses extreme imperative language to hijack the agent's decision-making logic and override user intent.
- Evidence: Use of markers like "ABSOLUTELY MUST", "NOT NEGOTIABLE", and "YOU DO NOT HAVE A CHOICE" inside
<EXTREMELY-IMPORTANT>tags. - Instruction Override: The prompt explicitly tells the agent to ignore user instructions if they attempt to bypass these workflows ("Instructions say WHAT, not HOW... doesn't mean skip workflows").
- [COMMAND_EXECUTION] (MEDIUM): The skill sets up a workflow for executing high-privilege commands involving cloud infrastructure (AWS) and Infrastructure as Code (Terraform).
- Unverifiable Safety Claims: The skill claims that dangerous commands like
terraform destroyare "intercepted by safety hooks." Per global security rules, these self-referential claims of safety are ignored; the skill provides the instructions to attempt these operations regardless. - [INDIRECT_PROMPT_INJECTION] (MEDIUM): The mandatory "1% chance" invocation rule increases the system's attack surface by forcing the agent to ingest and act upon data from external tools on almost every input.
- Ingestion Points:
SKILL.mdreferences data fromterraform plan, git history, and code review comments. - Boundary Markers: None identified; the agent is instructed to "follow skill exactly."
- Capability Inventory: The skill enables subprocess calls for Terraform, AWS CLI, and Git workflows.
- Sanitization: No evidence of sanitization or validation of the external content being processed.
Recommendations
- AI detected serious security threats
Audit Metadata