watch
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill scans file contents for markers like '@citadel:' and uses the extracted actions and descriptions to trigger commands. This creates a surface for indirect prompt injection. \n
- Ingestion points: File contents are read during the marker scanning process as described in the 'Protocol' section of SKILL.md. \n
- Boundary markers: The skill lacks explicit delimiters or instructions to isolate or ignore malicious commands embedded within the marker descriptions. \n
- Capability inventory: The skill can trigger high-impact actions like /refactor, /fix, and /review via the /do command router. \n
- Sanitization: No validation or sanitization is performed on the extracted marker content before it is interpolated into the agent's execution path. \n- [COMMAND_EXECUTION]: The skill executes local shell commands and platform-specific scheduling tasks to perform its operations. \n
- It uses 'git rev-parse' and 'git diff' to detect codebase changes. \n
- It employs the 'find' command as a fallback for identifying modified files in non-git environments. \n
- It utilizes platform-specific 'CronCreate' and 'CronDelete' commands for managing remote polling schedules when the --remote flag is enabled.
Audit Metadata