spec-writing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill establishes an automated feedback loop where untrusted data from a user's codebase is used to generate persistent instructions for the agent. 1. Ingestion points: 'references/codebase-analysis.md' scans files like 'package.json', '.env', and 'pyproject.toml'. 2. Boundary markers: The templates provided (e.g., 'templates/overview.template.md', 'references/session-prompt-template.md') do not include delimiters or instructions to ignore embedded commands within the ingested data. 3. Capability inventory: 'references/session-prompt-template.md' instructs the agent to create a 'prompt.md' file and subsequently 'Execute the plan'. This gives the generated (and potentially poisoned) content the ability to direct future agent actions and file modifications. 4. Sanitization: No sanitization logic or validation steps for ingested codebase content are defined in the reference flows or templates.
- No Code (LOW): The analysis of the 16 files shows only Markdown content. No executable scripts or configuration files that execute logic (e.g., Python, JS, YAML) are present in this set, precluding direct remote code execution or exfiltration by the skill's own logic.
Recommendations
- AI detected serious security threats
Audit Metadata