update-refs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill permits broad write access to the entire codebase, including critical files like install.sh and pyproject.toml.
- Ingestion points: Codebase files (.md, .py, .tsx, .json, .sh) and user-provided terms.
- Boundary markers: Absent. No delimiters are used to separate user input from file content.
- Capability inventory: Mass file write access across the project and execution of shell tools.
- Sanitization: Absent. There is no mechanism to verify that the replacement text is not malicious code. This creates a high-risk surface for indirect prompt injection where an attacker could influence a refactoring task to inject backdoors into scripts.
- [COMMAND_EXECUTION] (MEDIUM): The skill instructs the agent to run shell commands like grep and npm run build. If the agent interpolates unvalidated user input into the grep pattern or paths, it could lead to local command injection or unauthorized file access.
Recommendations
- AI detected serious security threats
Audit Metadata