ios-expert
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The 'Memory Protocol' section mandates the use of the
Bashtool to executecat .claude/context/memory/learnings.md. While this is a common pattern for persistent memory in some agent frameworks, using shell commands to read files increases the attack surface compared to using a dedicated file-read tool. - [PROMPT_INJECTION] (LOW): Indirect Prompt Injection (Category 8) surface detected.
- Ingestion points: The skill is designed to review and refactor user-provided code snippets (SKILL.md instructions).
- Boundary markers: Absent; there are no instructions or delimiters provided to prevent the agent from following malicious commands embedded in the code it is reviewing.
- Capability inventory: The skill has access to powerful tools including
Bash,Write,Edit, andGrep. - Sanitization: Absent; the skill does not include instructions to sanitize or escape content from the code files it processes. An attacker could embed instructions in comments within a code snippet that might be executed by the agent.
Audit Metadata