tech-debt-analyzer
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several local command-line tools including grep, git, npm, pip, and go. These are used to search for technical debt markers (TODO, FIXME), analyze commit history, and identify outdated dependencies. These operations are diagnostic in nature and limited to the local environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes external, untrusted data from source code comments and git commit messages. There are no defined boundary markers or sanitization steps provided in the instructions. * Ingestion points: Source code files (via grep) and git logs (via git log). * Boundary markers: Absent; there are no instructions to delimit or ignore instructions within the gathered debt signals. * Capability inventory: Local command execution (grep, git, npm, pip, go). * Sanitization: Absent; the skill does not include steps to sanitize or escape content extracted from the codebase before processing.
Audit Metadata