trellis-check
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script located at
./.trellis/scripts/get_context.pyto retrieve package context. While this is a standard pattern for developer tooling, it involves executing script logic that resides within the repository. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by reading specification files and following instructions contained within them. An attacker with the ability to modify these files could potentially influence the agent's behavior.
- Ingestion points: The skill reads file content using
cat .trellis/spec/<package>/<layer>/index.mdand referenced guideline files. - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present when processing these files.
- Capability inventory: The skill possesses the ability to execute shell commands (
git,python3,grep), read local files, and is instructed to 'fix' code violations, which implies file-write capabilities. - Sanitization: No sanitization or validation of the ingested specification content is performed before the agent is instructed to follow it.
Audit Metadata