council
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from the local repository which could contain malicious instructions designed to manipulate the behavior of the AI consultants.
- Ingestion points: Data enters the agent context through the Read, Grep, and Glob tools, as well as git diff, git log, and git blame commands documented in WORKFLOWS.md and SKILL.md.
- Boundary markers: The skill implements XML delimiters such as <file_content>, <pr_diff>, and <git_history> to isolate untrusted data.
- Capability inventory: The skill possesses the Bash, Task, Read, Grep, Glob, and TodoWrite tools, allowing it to execute system commands, orchestrate agent tasks, and modify files.
- Sanitization: The instructions explicitly direct consultants to treat delimited content as data only and to ignore embedded instructions.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to orchestrate developer utilities and AI command-line interfaces.
- Evidence: It executes git commands for context gathering, gitleaks for secret detection, and various AI CLIs including gemini, codex, qwen, and opencode.
Audit Metadata