private-vs-shared-components
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to process and review untrusted code provided by users or read from the filesystem. Because the agent is granted 'Write' and 'Edit' tool capabilities, malicious instructions embedded within the code being analyzed could manipulate the agent into performing unauthorized file modifications or data deletion.
- Ingestion point: User-provided code snippets for review and files matched by the
src/**/*glob. - Capabilities:
Read,Write, andEdittools across the codebase. - Boundary markers: None; there are no instructions to ignore embedded commands in analyzed data.
- Sanitization: None; input is processed as raw code for standard compliance.
- [Command Execution] (MEDIUM): The 'Memory Protocol' section explicitly instructs the agent to execute a shell command (
cat .claude/context/memory/learnings.md). While the path is currently static, using shell commands for routine state management increases the attack surface and establishes a precedent for command-line interaction that could be exploited if combined with untrusted inputs.
Recommendations
- AI detected serious security threats
Audit Metadata