cx-help
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The workflow described in SKILL.md ingests untrusted data from GitHub Issues and user-provided feature/bug descriptions to drive high-privilege automation. Evidence Chain: 1. Ingestion points: GitHub Issue details (Bug Fix Step 1) and user-supplied descriptions (/cx-prd, /cx-fix). 2. Boundary markers: None specified in the instructions to isolate untrusted content. 3. Capability inventory: File system writes (CLAUDE.md, project source files), network operations (GitHub API synchronization), and command execution (/cx-exec). 4. Sanitization: No mention of content validation or sanitization before processing.
- Command Execution (HIGH): The skill instructions define capabilities such as /cx-exec which 'implements code' and automated 'critical problem' fixing, indicating that the agent will generate and execute code or system commands based on instructions derived from potentially poisoned external data.
- Data Exfiltration (LOW): The workflow includes built-in functionality to synchronize local project data and progress to external GitHub repositories. While targeting a whitelisted domain, this represents an automated external data flow of potentially sensitive internal project information.
Recommendations
- AI detected serious security threats
Audit Metadata