fresh-eyes
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface where it ingests untrusted data (user-modified code) and has the capability to write/modify files without human-in-the-loop validation.
- Ingestion points: Modified source code files identified via
git diffinSKILL.md. - Boundary markers: Absent. There are no instructions for the agent to distinguish between code and embedded instructions in comments or string literals.
- Capability inventory: Direct file modification (
Fix it immediately,Don't ask for permission). - Sanitization: Absent. The agent processes the file content directly and acts upon its internal reasoning which can be manipulated by embedded text.
- [Command Execution] (LOW): The skill executes
git diffcommands to identify modified files. This is a standard operation but provides the agent with metadata about the local filesystem. - [Adversarial Logic] (MEDIUM): The instruction to 'Don't ask for permission' removes a critical security boundary (human authorization), significantly increasing the potential impact of an indirect prompt injection attack.
Recommendations
- AI detected serious security threats
Audit Metadata