refactor
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill interpolates untrusted data from the user-provided code directly into subagent prompts without any boundary markers or sanitization, creating a significant attack surface.
- Ingestion points: The
[TARGET_CODE]variable is ingested by all five subagents (phoenix, plan-agent, kraken, plan-reviewer, arbiter) inSKILL.md. - Boundary markers: None. The target code is placed directly within the prompt string, allowing instructions in the code to potentially override the agent's system instructions.
- Capability inventory: The
krakensubagent has the capability to write code changes to the filesystem. Thearbitersubagent has the capability to execute commands (tests, linting). - Sanitization: None. There is no escaping or validation of the input code.
- [Command Execution] (HIGH): The
arbitersubagent is explicitly instructed to "Run full test suite" and "Run linting". In most development environments, test runners (like npm test, pytest, or make) execute arbitrary code or shell commands defined in configuration files (e.g.,package.json,conftest.py). If the code being refactored is untrusted, an attacker can define malicious test commands that execute with the agent's privileges during the validation phase.
Recommendations
- AI detected serious security threats
Audit Metadata