check
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It processes user-provided questions and codebase evidence (file contents, git diffs) and interpolates them directly into a prompt for a sub-agent (
Task) in Step 3 without sanitization or protective boundary markers. * Ingestion points: User input from the/checkcommand and codebase evidence gathered in Step 2 (SKILL.md). * Boundary markers: None present in theTaskprompt template (SKILL.md). * Capability inventory:Bash(executes test suites) andTask(spawns a sub-agent) (SKILL.md). * Sanitization: No validation, escaping, or filtering is applied to external data before interpolation. - [COMMAND_EXECUTION]: The skill allows for the execution of arbitrary test commands via
Bashbased on user queries (Step 2). If an attacker has modified the codebase's test scripts (e.g.,package.jsonscripts or test files), the agent will execute this malicious code when performing a check. - [DATA_EXFILTRATION]: There is a risk of sensitive data exposure. The skill reads file contents and git diffs to gather evidence and passes this information to an LLM-based sub-agent. If a user crafts a question targeting sensitive files (like
.envor SSH keys), the skill will read and process that data.
Audit Metadata