simplify
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted external content (project source code and test files) and possesses high-privilege capabilities.
- Ingestion points: The agent reads existing code files (e.g., 'src/openenv/core/client.py') and the project's test suite to identify refactoring opportunities.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present to separate the code-under-analysis from the agent's instructions.
- Capability inventory: The skill performs file-write operations (refactoring) and arbitrary code execution (running tests).
- Sanitization: No evidence of sanitization or validation of the processed code content before it is incorporated into the agent's reasoning process.
- Risk: Malicious instructions hidden in comments or strings within the codebase could manipulate the agent into performing unauthorized modifications or data exfiltration.
- [Command Execution] (MEDIUM): The skill's workflow depends on executing the project's test scripts.
- Evidence: Steps 1 and 4 of 'What It Does' explicitly involve running tests to verify code behavior.
- Risk: If the test suite contains malicious code or is modified to include harmful shell commands, the agent will execute them in the local environment during its normal operation.
Recommendations
- AI detected serious security threats
Audit Metadata