tune-repo
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from the repository's source code, documentation, and git history to generate operational guidelines (CLAUDE.md, AGENTS.md) and agent memory (MEMORY.md). An attacker could embed malicious instructions in a repository that the skill then promotes to the agent's high-level instructions or long-term memory.
- Ingestion points: Files within the target repository (Phase 3, 4, 5) and Git commit history/logs (Phase 4, 5).
- Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are specified when interpolating extracted data into final documents.
- Capability inventory: The skill performs file writes to the repository (CLAUDE.md, AGENTS.md, docs/adr/) and to the agent's local project memory (~/.claude/.../MEMORY.md). It also triggers external skills like /cartographer and /guardrail.
- Sanitization: No evidence of sanitization, escaping, or validation of the content extracted from the repository before it is synthesized into agent instructions.
- [COMMAND_EXECUTION]: The skill executes local system commands to gather repository metadata and git history.
- Commands: Executes 'git rev-parse', 'git remote get-url', 'which glance', 'glance', 'ls', 'mkdir -p', and 'git log'.
- Context: These are standard operations for a repository analysis tool and are used to build project context.
Audit Metadata