Skills
skills/richfrem/agent-plugins-skills/red-team-review/Gen Agent Trust Hub

red-team-review

Pass

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection (Category 8). It facilitates the ingestion of repository-based data that could contain malicious instructions intended to subvert the agent's behavior.
  • Ingestion points: Untrusted data enters the context when the agent identifies research artifacts and source files via manifest.json to compile review packets (SKILL.md).
  • Boundary markers: The instructions do not specify the use of clear delimiters or XML tags to isolate the content being reviewed from the instructions provided to the red-team reviewer.
  • Capability inventory: The skill utilizes Bash, Read, and Write tools, and dispatches content to external personas and browser agents.
  • Sanitization: No sanitization or filtering of the bundled content is required before transmission to the reviewer.
  • [DATA_EXFILTRATION]: The skill documentation explicitly instructs the agent to transmit repository context to external entities for review.
  • Evidence: SKILL.md specifies dispatching review packets to "human reviewers (paste-to-chat or browser)" and "browser-based agents". While this is the intended functionality, it creates a sanctioned path for potentially sensitive project data to exit the local development environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 3, 2026, 06:09 PM