cx-adr
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Command Execution] (SAFE): Uses standard system utilities
gitandjqto determine the project root and developer identity from local configuration. These are routine operations for a development-focused AI skill. - [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from local files that could be influenced by external actors (e.g., a shared codebase or PRD documents).
- Ingestion points: Reads
prd.md,design.md, and scans project source code in Step 2 and Step 3. - Boundary markers: No explicit instructions or delimiters are provided to the agent to ignore potentially malicious embedded instructions in these documents.
- Capability inventory: The skill can write files to the local filesystem (
adr.md,adr.json) and create GitHub Issues (if enabled). - Sanitization: No evidence of sanitization or escaping for the content read from files before it is used to generate the ADR or sync to GitHub.
- [Data Exposure] (SAFE): Accesses
.claude/cx/config.json. While this file contains configuration data, there is no evidence of accessing high-value secrets like SSH keys or AWS credentials. Access is limited to the defined project scope.
Audit Metadata