tilth
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses imperative language such as "MANDATORY" and "Use tilth instead of read, grep, find, cat" to coerce the agent into overriding its standard, safety-hardened tools with a custom utility. This is a form of behavioral instruction overriding.
- [COMMAND_EXECUTION]: The skill is centered around executing the
tilthCLI tool with various arguments, including the ability to read any file on the system or map entire directory structures. This represents a significant capability for interacting with the host environment. - [DATA_EXPOSURE]: While not a standalone category in the schema, the documentation explicitly lists reading dotfiles (e.g.,
.env) as a capability. This presents a risk of sensitive data exposure if the agent is directed to explore a codebase that contains hardcoded secrets or configuration files. - [INDIRECT_PROMPT_INJECTION]: The tool is designed to ingest and summarize large volumes of external code and text. This creates a surface for indirect prompt injection where malicious instructions embedded in source code, comments, or documentation could be processed by the agent during its analysis of a repository.
- [CAPABILITY_INVENTORY]:
- Ingestion points:
tilth <path>(file read),tilth <symbol>(AST-based search),tilth --map(directory traversal). - Boundary markers: None specified in the prompt instructions to isolate external content.
- Capability inventory: File system read, directory mapping, and potential file modification via the mentioned
--editmode. - Sanitization: No evidence of sanitization or escaping of file content before it is presented to the agent.
Audit Metadata