exercise-pack
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It processes untrusted textbook content from the apps/learn-app/docs/ directory and passes this data to specialized sub-agents for repository and lesson generation. Malicious instructions embedded in the textbook source could influence the output or behavior of these agents.
- Ingestion points: Phase 1B reads the README.md and all lesson markdown files within a target chapter folder.
- Boundary markers: The workflow does not specify delimiters or ignore instructions when interpolating textbook content into sub-agent prompts.
- Capability inventory: The skill possesses file system access, shell execution capabilities (git, gh, bash), and network access via the GitHub CLI.
- Sanitization: There is no logic mentioned for sanitizing or validating external textbook content before it is processed by the workflow.
- [COMMAND_EXECUTION]: The skill executes various system commands to manage the exercise lifecycle.
- Evidence: Phase 1 uses ls and wc to discover and count files. Phase 6 uses git init, git add, git commit, and gh repo create to publish generated code to GitHub. Phase 7 uses git add and git rm to update the local textbook repository. All network-bound commands target the vendor official GitHub organization (panaversity).
Audit Metadata