compound-engineering
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted content from the codebase and external sources while maintaining execution capabilities.\n
- Ingestion points: Pull request diffs, external research results, and arbitrary codebase files analyzed during planning.\n
- Boundary markers: Absent. The instructions do not provide delimiters or security warnings to the agent when processing external data.\n
- Capability inventory: Execution of subprocesses (npm test, npm run lint, git log) and file system writes (updating AGENTS.md and codebase files).\n
- Sanitization: Absent. There is no validation or sanitization of input data before it is incorporated into the agent's planning or execution tasks.\n- [Command Execution] (MEDIUM): The skill invokes shell commands such as 'npm test' and 'npm run lint'. If an attacker-controlled file (like a malicious package.json in a PR) is processed, these commands could lead to arbitrary code execution on the developer's machine.
Recommendations
- AI detected serious security threats
Audit Metadata