refactor-expert
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly susceptible to indirect prompt injection because it is designed to ingest and process external, untrusted source code.
- Ingestion points: The skill accepts a
<file>argument for commands such asrefactor:analyze,refactor:plan, andrefactor, which are then read into the agent's context. - Boundary markers: There are no explicit instructions or delimiters defined to separate untrusted code content from the agent's instructions, nor are there warnings to ignore embedded instructions in the source files.
- Capability inventory: The skill allows the agent to read local files, write logs and plans to
.claude/logs/refactors/, and perform code modifications (refactoring). - Sanitization: No sanitization or validation logic is present to filter malicious instructions within comments or string literals in the target files.
- [Command Execution] (MEDIUM): The command
refactor:quickis explicitly documented to "Skip approvals." This grants the agent autonomous write access to the codebase without a human-in-the-loop, significantly increasing the impact of a successful injection or logic error.
Recommendations
- AI detected serious security threats
Audit Metadata