bugfix
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data including bug descriptions, stack traces, and test logs which are then interpolated into prompts for parallel agents (debugger, gap-analyzer). While this is a standard workflow for a debugging tool, it provides a surface for indirect prompt injection if the ingested logs or code contain adversarial instructions. The skill mitigates this through mandatory user confirmation of the diagnosis before proceeding to the execution phase.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to interact with a local command-line interface (
hoyeon-cli) and manage temporary files. It employs secure patterns, such as EOF heredocs for JSON merging, to minimize the risk of shell injection during command construction. - [DATA_EXPOSURE]: Debugging state, session data, and reports are stored locally in the user's home directory (
$HOME/.hoyeon/). This is standard behavior for development-oriented tools and does not involve the exposure of sensitive system credentials or network exfiltration of data.
Audit Metadata