codex-brainstorm
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates user-provided data (TOPIC, CONSTRAINTS) and chained AI outputs directly into prompts for secondary model rounds without sanitization or robust isolation techniques.\n
- Ingestion points:
TOPICandCONSTRAINTSvariables inSKILL.mdandtechniques.md.\n - Boundary markers: The skill uses standard Markdown headers (e.g.,
## Topic) which provide structural formatting but do not offer security-hardened isolation for untrusted content.\n - Capability inventory: The skill utilizes tools to list directories (
ls), search for patterns (grep), and read file contents (cat).\n - Sanitization: No input validation, escaping, or filtering is applied to variables before they are interpolated into the prompt templates.\n- [COMMAND_EXECUTION]: The skill explicitly directs the AI to execute shell commands (
ls,grep,cat) against the local file system to perform its research phase. While these operations are constrained by aread-onlysandbox, the automated execution of shell commands derived from AI-interpreted prompts represents an inherent security surface.
Audit Metadata