code-refactoring-context-restore
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection via the 'rehydration' process.
- Ingestion points: The skill explicitly reads data from
context_source(file systems or vector databases) using functions likesemantic_context_retrieveandload_componentdefined inSKILL.md. - Boundary markers: None. There are no instructions to treat the restored context as untrusted data or to isolate it using delimiters.
- Capability inventory: The skill is intended for 'code refactoring' workflows, which typically involve the agent having permissions to modify source code. Malicious instructions hidden in project metadata or code comments could hijack the agent during these write operations.
- Sanitization: No sanitization or filtering logic is provided or suggested for the retrieved data.
- [COMMAND_EXECUTION] (LOW): The skill documentation references the use of a CLI tool named
context-restorefor project context management. While the provided examples are standard, executing local binaries based on project identifiers carries a minor risk if the identifiers are not validated.
Recommendations
- AI detected serious security threats
Audit Metadata