repo-intake-and-plan
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing and classifying untrusted data from repository documentation. \n
- Ingestion points: Untrusted data enters the agent context through
scripts/extract_commands.pyandscripts/scan_repo.py, which read README files and directory listings from user-specified repositories. \n - Boundary markers: The skill instructions in
SKILL.mdestablish clear operational boundaries and recommend conservative behavior (e.g., 'record ambiguity instead of overcommitting'), but do not employ formal data delimiters or instructions to ignore directives found within the ingested content. \n - Capability inventory: The skill's scripts use standard libraries for string and file processing but do not contain functions for network requests, subprocess execution, or writing files, limiting the potential impact of an injection. \n
- Sanitization: Extracted command strings are identified via regular expressions but are not sanitized or validated for malicious payloads before being included in the output plan.
Audit Metadata