Skills
skills/namesreallyblank/clorch/refactor/Gen Agent Trust Hub

refactor

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to malicious instructions embedded within the code provided for refactoring.
  • Ingestion points: The [TARGET_CODE] variable is interpolated directly into the prompts for five separate agents (phoenix, plan-agent, kraken, plan-reviewer, arbiter).
  • Boundary markers: There are no boundary markers or instructions telling the agents to ignore commands contained within the [TARGET_CODE] block.
  • Capability inventory: The kraken agent is authorized to write code changes to the filesystem. The arbiter agent is authorized to execute commands to run test suites and linters.
  • Sanitization: No sanitization or validation of the input code is performed before it is processed by the LLM.
  • [Command Execution] (MEDIUM): The arbiter agent's role is to 'Run full test suite' and 'Run linting'. This provides a direct path for arbitrary command execution on the host system. If a previous stage (like kraken) is compromised via injection to write a malicious test file, the arbiter will execute that malicious code during the validation phase.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:57 AM