deep-read
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as its primary function is to ingest and analyze untrusted external data in the form of source code.
- Ingestion points: The protocol heavily relies on
Read,Glob, andGreptools in Phases 1 through 4 to load content from arbitrary files within a target codebase. - Boundary markers: The instructions do not define clear delimiters or "ignore embedded instructions" warnings for the content being read, which could allow an attacker to embed malicious natural language instructions within code comments or strings to influence the agent's behavior.
- Capability inventory: The skill utilizes filesystem interaction tools (
Read,Glob,Grep) and a reasoning tool (sequential-thinking). No network operations or arbitrary shell execution capabilities are explicitly defined within the protocol. - Sanitization: Source code content is analyzed in its raw form without filtering or sanitization of potential natural language overrides.
Audit Metadata