docs-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from the project's codebase (Step 1, Step 4, and Step 5) and uses it to generate or modify critical project files like
CLAUDE.mdandREADME.md. - Ingestion points: The skill scans all project files, including source code, configuration, and existing documentation, to identify 'changes', 'conventions', and 'architecture'.
- Boundary markers: No boundary markers or instruction-isolation techniques are mentioned in the workflow when interpolating project data into templates.
- Capability inventory: The skill has write access to the filesystem, specifically targeting files that dictate agent behavior (
CLAUDE.md) and project instructions. - Sanitization: There is no evidence of sanitization or filtering of the content read from the project files.
- Risk: An attacker could place malicious instructions in code comments or metadata. These instructions could be promoted into
CLAUDE.md, which subsequent agents or tools will use to execute build/test commands, leading to persistent prompt injection or unauthorized command execution. - Data Exposure (HIGH): The skill intentionally identifies and documents project secrets and environment variables.
- Evidence: Example 2 explicitly demonstrates the skill detecting an
AUTH_SECRETand adding it toCLAUDE.mdandREADME.md. - Risk: If the agent accesses active environment variables or
.envfiles and writes their values into the documentation reports or project files, it constitutes a critical exposure of credentials (CREDENTIALS_UNSAFE).
Recommendations
- AI detected serious security threats
Audit Metadata