jules
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill installs the @google/jules package globally via npm. Because the package is from a trusted organization (Google), the severity is downgraded.
- REMOTE_CODE_EXECUTION (LOW): The skill uses
jules remote pull --applyto download code from a remote session and write it to the local filesystem. While this constitutes remote code modification, it is the primary intended function of the skill. - COMMAND_EXECUTION (LOW): The skill automates several shell and git commands (e.g., git checkout, git commit, gh pr view) to manage the development workflow.
- PROMPT_INJECTION (LOW): The skill exhibits an indirect prompt injection surface (Category 8). 1. Ingestion points: Pulls data from GitHub PRs (title, body) and local git diffs. 2. Boundary markers: None; untrusted external data is interpolated directly into AI prompts. 3. Capability inventory: Filesystem write access via jules CLI, git commit, and git push. 4. Sanitization: None identified.
Audit Metadata