health-refactor
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill includes defensive instructions to mitigate prompt injection. It explicitly directs the agent to treat any instructions found within the analyzed codebase files (e.g., "ignore previous instructions") as data findings rather than commands to be obeyed. This is a security best practice for agents that process untrusted data.
- [COMMAND_EXECUTION]: The skill uses the
git diffcommand to identify changed files. It implements a security check that validates the user-provided revision range against a strict whitelist of characters (a-z,A-Z,0-9,-,_,.,/,~,^,:) and rejects shell metacharacters (;,|,&, etc.), effectively preventing command injection. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to process untrusted data from local codebase files, which constitutes a potential indirect prompt injection surface.
- Ingestion points: Files are resolved and read in Step 1 and Step 2 of the workflow (SKILL.md).
- Boundary markers: The skill explicitly defines a "Prompt injection boundary" in its Operating Rules, instructing the agent to ignore any directives found in the analyzed data.
- Capability inventory: The agent can read files and execute git commands but is strictly prohibited by its instructions from modifying code, tests, or configuration.
- Sanitization: Shell arguments for git commands are validated using a whitelist regex.
- [DATA_EXFILTRATION]: No unauthorized data exfiltration patterns were identified. The skill reads codebase content to produce its report but does not initiate network connections to external or untrusted domains. Its primary outputs are findings and checklists presented within the plan.
Audit Metadata