inventory
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a structural editing protocol including PEEK, POKE, SNIP, and SPLICE commands. These allow the agent to read, modify, and delete data within YAML and JSON files using deep path addressing and wildcards. This capability could be misused to alter project configurations, build scripts, or other sensitive structured files if the agent is not properly restricted to a sandbox environment.
- [PROMPT_INJECTION]: The skill contains a 'skill-snitch-report.md' file that includes a self-authored security verdict of 'APPROVE'. This is a deceptive metadata pattern intended to influence the analyzer's judgment and potentially bypass human review by mimicking an official audit.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting and processing untrusted data from multiple file formats including YAML, JSON, and Markdown.
- Ingestion points: Data is retrieved via the read_file tool during the resolution of pointers and structural addresses defined in 'SKILL.md', 'CARD.yml', and user-supplied inventory files.
- Boundary markers: The instructions in 'SKILL.md' and 'README.md' lack explicit markers or safety guidelines to prevent the agent from treating data extracted from files as executable instructions.
- Capability inventory: The skill possesses extensive file-write (write_file) and file-delete (delete_file) capabilities as listed in the 'SKILL.md' frontmatter and documentation.
- Sanitization: No sanitization, escaping, or schema validation is performed on the content retrieved from external files before it is processed or used to modify other files in the system.
Audit Metadata