yaml-jazz
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill advocates for treating YAML comments as instructions ('Comments ARE instructions'), creating a surface for indirect prompt injection if the agent processes YAML from untrusted sources. \n
- Ingestion points: The 'INTERPRET' method in CARD.yml and GLANCE.yml which takes 'yaml' as a parameter. \n
- Boundary markers: Absent; the skill explicitly discourages rigid schemas and encourages 'semantic improvisation' where instructions and data are blended. \n
- Capability inventory: The SKILL.md metadata lists 'read_file' and 'write_file' as allowed tools, which could be abused if an injected comment directs the agent to overwrite files. \n
- Sanitization: Absent; the skill relies on 'Postel's Law' (liberal interpretation), which is contrary to secure input validation practices. \n
- [DATA_EXFILTRATION] (SAFE): No sensitive file access or network exfiltration patterns were detected; examples use standard placeholders like '${SECRET}'. \n
- [REMOTE_CODE_EXECUTION] (SAFE): No remote code downloads or external package installations are defined in the skill files.
Audit Metadata