fewword
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill documentation and scripts (
cleanup_scratch.py,implementation-patterns.md) promote the use of shell commands likefind,rm,grep, andsedto manage and search offloaded context. While these are standard utility commands, they are executed within the user's environment. - [DATA_EXFILTRATION] (SAFE): While the skill reads and writes data to the local filesystem (under
.fewword/), there are no detected network calls or hardcoded credentials that would facilitate exfiltration. The operations are local to the project directory. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill's primary purpose is to store and later retrieve external data (tool outputs, agent findings). This data is often untrusted (e.g., web search results, logs). Since the agent is encouraged to read these files (using
cat,grep, etc.) and process them, it creates a surface where embedded instructions in the offloaded files could influence the agent's behavior. - Ingestion points:
.fewword/scratch/tool_outputs/,.fewword/scratch/subagents/. - Boundary markers: Output offloading adds a header (
[Output offloaded to filesystem]), but does not explicitly warn the model to ignore instructions within the file content. - Capability inventory: The agent uses standard shell tools (
ls,grep,cat) and Python scripts provided in the skill. - Sanitization: No sanitization is performed on the data before it is written to the filesystem or read back into the context.
Audit Metadata