repo-research-analyst
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill directs the agent to read and adopt instructions from 'CLAUDE.md', described as 'AI assistant instructions'. This creates a high-risk vector for indirect prompt injection where an attacker-controlled repository can override the agent's system prompt or core safety constraints.
- COMMAND_EXECUTION (MEDIUM): The skill relies on 'ls', 'find', and 'grep' through a bash interface. While these are intended for analysis, they provide an execution surface that an indirect prompt injection attack could exploit to map the filesystem or access sensitive files outside the intended repository path.
- INDIRECT PROMPT INJECTION (HIGH): This skill exhibits a significant attack surface due to its core functionality. Evidence Chain: 1. Ingestion points: Systematically reads the contents of README.md, CONTRIBUTING.md, ARCHITECTURE.md, and CLAUDE.md from a local path. 2. Boundary markers: None. The skill does not instruct the agent to treat file contents as untrusted data or use delimiters to separate these contents from instructions. 3. Capability inventory: Possesses filesystem navigation (ls, find), pattern matching (grep), and file writing capabilities (handoff creation). 4. Sanitization: No sanitization or filtering is performed on the ingested text before the agent processes it or incorporates it into its research handoff.
Recommendations
- AI detected serious security threats
Audit Metadata