tap-audit
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Potential command injection vulnerability in the audit logic. The skill instructions tell the agent to parse a 'Last run:' date from a local file (
.tap/tap-audit.md) and interpolate it directly into shell commands such asgit log --since="[date]"andgit diff --name-only HEAD@{[date]}. If an attacker commits a malicious string to this file, it could lead to arbitrary command execution when the audit is run. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from the repository being audited.
- Ingestion points: The agent reads repository configuration files (
.mcp.json,CLAUDE.md,package.json), git history, and CI logs. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are used when processing these files.
- Capability inventory: The agent has the ability to execute shell commands (
git,gh, test runners) and write to the file system (.tap/directory). - Sanitization: There is no mention of sanitizing or validating the content read from the repository before it is used to score readiness or identify leverage points.
- [COMMAND_EXECUTION]: The skill requires the agent to perform 'Test runner dry-runs' and other discovery tasks using repository-defined scripts and tools. This involves executing code or configurations controlled by the repository author, which could be malicious.
Audit Metadata