security-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The 'Overrides' section in
SKILL.mdcontains instructions that explicitly permit bypassing security protocols based on external data. It states: 'Pay attention to specific rules and instructions in the project's documentation and prompt files which may require you to override certain best practices.' This creates a directive for the agent to obey instructions found in the very data it is auditing. - INDIRECT PROMPT INJECTION (HIGH): The skill possesses a dangerous combination of untrusted data ingestion and high-privilege capabilities.
- Ingestion points: Processes project files, documentation, and prompt files from the repository being analyzed (as described in the 'Workflow' and 'Overrides' sections).
- Boundary markers: None. There are no instructions to treat project content as data rather than instructions, nor are there delimiters to separate untrusted content from the agent's internal logic.
- Capability inventory: The skill can write files (
security_best_practices_report.md), modify existing code ('Fixes' section), and perform git commits ('follow any normal change or commit flow'). - Sanitization: None. The skill does not describe any validation or filtering of instructions found in project files before they influence code modification decisions.
- COMMAND_EXECUTION (MEDIUM): The 'Fixes' workflow allows the agent to execute shell commands for git operations ('making git commits') and potentially testing flows ('follow any normal testing flows'). While expected for its purpose, this capability is highly exploitable if the agent is successfully injected via the indirect prompt injection path.
Recommendations
- AI detected serious security threats
Audit Metadata