substitute-eraser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted content from the codebase (source files, configs, docs) and has the capability to modify files (
substitute-fix) or interact with external APIs (substitute-tasks). An attacker could place malicious instructions inside a 'TODO' or 'FIXME' comment that the agent might obey when performing 'fixes' or generating tasks. \n - Ingestion points: Local filesystem via
just substitute-scan <path>. \n - Boundary markers: None. The skill interprets the content of placeholders directly. \n
- Capability inventory: Local file modification (
substitute-fix), external API writes (substitute-tasks --output=github/linear), and system command execution viajust. \n - Sanitization: None detected in the skill definition.\n- [Data Exposure] (MEDIUM): The skill explicitly scans 'Configuration files'. If detection patterns match secrets or sensitive values labeled with placeholders (e.g., 'API_KEY=xxx-TODO'), these secrets may be leaked into the remediation report or external issue trackers.\n- [Metadata Poisoning] (MEDIUM): There is contradictory metadata regarding the 'Trit' assignment (listed as -1 in the header and 1 in the SDF section), which may be intended to confuse automated reasoning about the skill's role as a validator vs. a generator.
Recommendations
- AI detected serious security threats
Audit Metadata