resonance-librarian
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests descriptions of 'solved problems' to generate documentation. Because it also possesses tools like
run_command,write_file, andedit_file, an attacker could provide a malicious problem description that causes the agent to execute arbitrary commands or modify sensitive files. - Ingestion points: Processes descriptions of 'solved problems' and reads existing project files via
read_file(SKILL.md, Operational Sequence). - Capability inventory: Includes
run_command,write_file,edit_file, andread_file. - Boundary markers: None. The instructions do not specify how to distinguish between the agent's instructions and the untrusted content being documented.
- Sanitization: No sanitization or validation of the input data is performed before it is used to drive tool actions or written to files.
- Command Execution (HIGH): The
run_commandtool is available to the agent. The 'Documentation Quality Gate' (references/doc_quality_gate.md) specifically requires that every code snippet must be runnable and that 'The Execution Test' be performed by copy-pasting and running commands. This creates a direct path from untrusted input to local command execution. - Data Exposure (HIGH): The agent can read any file in the project using
read_file. Malicious input could trick the agent into including sensitive information (like .env files, config files, or keys) in generated public documentation or index files likellms.txt.
Recommendations
- AI detected serious security threats
Audit Metadata