cx-exec
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes multiple local shell commands using
jq,git,mv, andgrepto manage state. It also invokes developer toolchains (npm test,mvn test,uv run pytest) based on the project environment. These operations are limited to the local project context. - [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface through the ingestion of task files (
task-{n}.md). - Ingestion points: Task details and API contract snippets are read from local markdown files in the
.claude/cx/features/directory. - Boundary markers: Absent. Task content is interpolated into subagent prompts without clear delimiters or 'ignore embedded instructions' warnings.
- Capability inventory: The skill can modify source code ('automatic correction'), execute arbitrary test commands, and perform
git commitoperations. - Sanitization: No sanitization or schema validation is performed on the content of the task files before processing.
- [DATA_EXFILTRATION] (SAFE): The skill reads local configuration files (
config.json) and project metadata. No evidence of external data transmission or non-whitelisted network requests was found.
Audit Metadata