infra-audit
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill requires the agent to read highly sensitive files that typically contain credentials, API keys, and database passwords.
- Evidence: Step 1 and Step 2 of the protocol explicitly list
.env,.env.local,*.env, and database connection strings as targets for discovery. - While the skill includes a safety instruction to only record variable names and not values, the agent still ingests this sensitive data into its context window, which could be exploited.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by processing untrusted data from the local project environment.
- Ingestion points: Config files (
docker-compose.yml), environment files (.env), and source code files. - Boundary markers: Absent. The skill does not use specific delimiters or instructions to ignore embedded commands in the files it reads.
- Capability inventory: The agent has recursive read access to project files and write access to the
.planning/directory. - Sanitization: Absent. There is no instruction to escape or validate the content read from files before generating the manifest.
- [COMMAND_EXECUTION]: The skill performs automated, extensive scans of the project filesystem to locate and read configuration files across multiple technology stacks.
Audit Metadata