docs-writer
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to perform complex filesystem operations, includinggit log,git diff,find, andgrep. It also executes dynamic Python code viapython3 -cstrings to parse and extract data from JSON schema files at runtime. - [DATA_EXFILTRATION]: The instructions require the agent to read the entire codebase, including UI source code, Go backend handlers, and configuration schemas. This provides the agent with a comprehensive view of the application's architecture and internal logic, which could lead to sensitive data exposure if the agent is compromised or misled.
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It is designed to ingest and process data from the local repository and external web searches without boundary markers or sanitization. If an attacker places malicious instructions in the codebase (e.g., in a code comment or a documentation file), the agent might execute them while performing its research tasks.
- Ingestion points: Local codebase files (.tsx, .go, .json, .mdx), git history, and external content fetched via
WebSearchandWebFetch. - Boundary markers: No delimiters or safety instructions are used to distinguish between valid data and embedded instructions in the files being read.
- Capability inventory: The agent possesses high-impact tools including
Bash,Write,Edit, andWebSearch. - Sanitization: No validation or sanitization is performed on the content read from the filesystem or external sources before it is processed by the agent.
Audit Metadata