check-backend
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill instructs the agent to run
git statusto identify changed files. While this is a common operation, it involves direct interaction with the system shell. - [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its combination of reading untrusted data and having file-modification capabilities.
- Ingestion points: The agent reads the content of guideline files in the
.trellis/spec/backend/directory and the user's source code files. - Boundary markers: Absent. The instructions do not include delimiters or specific guidance to ignore embedded instructions within the guidelines or source code.
- Capability inventory: The agent can execute shell commands (
git status), read internal files, and modify files ('fix them if found'). - Sanitization: Absent. There is no validation or sanitization of the guidelines or source code content before the agent uses it to decide on and apply code 'fixes'.
Recommendations
- AI detected serious security threats
Audit Metadata