detect-pack
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it aggregates data from multiple audit files to update internal project context and configuration.
- Ingestion points: Data is ingested from markdown files within the $JAAN_OUTPUTS_DIR/detect/ subdirectories as defined in SKILL.md.
- Boundary markers: The instructions do not define clear delimiters or safety instructions (e.g., 'ignore embedded instructions') for the content being read from these files.
- Capability inventory: The skill utilizes tools including Edit(jaan-to/config/settings.yaml) and Write($JAAN_CONTEXT_DIR/**), allowing it to modify the agent's configuration and project seed files.
- Sanitization: No automated sanitization is performed on the ingested data; however, the skill implements mandatory human approval ('HARD STOP') steps in Phase 1 (Step 7) and Phase 2 (Step 8a) where a diff-style summary is presented to the user.
- [NO_CODE]: The skill consists exclusively of markdown-based instructions and templates (SKILL.md, LEARN.md, template.md) and does not include any executable scripts or binary files.
Audit Metadata