repo-intake-and-plan
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from external repositories to inform the agent's planning phase, creating a surface for indirect prompt injection.
- Ingestion points: The scripts
scripts/extract_commands.pyandscripts/scan_repo.pyread content directly from the target repository's README files and file system structure. - Boundary markers: There are no specific boundary markers or instructions to the agent to disregard potential instructions embedded within the untrusted text being processed.
- Capability inventory: While the
SKILL.mdexplicitly states the skill does not execute commands, its output (a reproduction plan) is intended to guide a main skill that likely has environment setup and command execution capabilities. - Sanitization: The extraction logic classifies commands based on keywords but does not perform security validation or sanitization on the extracted command strings to prevent shell-based attacks.
Audit Metadata