action-mailer-coder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and refactor untrusted data from a local codebase using tools like 'Read', 'Grep', and 'Glob' (File: SKILL.md). It lacks explicit boundary markers or sanitization logic to differentiate between code and embedded instructions. Given its high-tier capabilities ('Write', 'Edit', 'Bash'), an attacker could embed malicious prompts in project files (e.g., within comments or documentation) that the agent might execute as legitimate tasks.
- [Command Execution] (HIGH): The 'Bash' tool is explicitly enabled in the metadata (File: SKILL.md). In an AI agent context, providing raw shell access alongside file-reading capabilities poses a high risk of arbitrary code execution if the agent is manipulated via indirect injection.
- [Data Exposure] (MEDIUM): The requested 'Read' and 'Grep' permissions allow the agent to access sensitive configuration files common in Rails applications, such as 'config/database.yml', '.env' files, or 'config/master.key', which often contain database credentials or application secrets.
Recommendations
- AI detected serious security threats
Audit Metadata