planning
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- DATA_EXPOSURE (HIGH): In
references/codebase-understanding.md, the skill explicitly directs the agent to 'Analyze dotenv files and configuration'. Dotenv files are a standard location for sensitive credentials, API keys, and database strings. Accessing these files without a specific, safe handling protocol poses a high risk of credential exposure. - COMMAND_EXECUTION (MEDIUM): The skill utilizes
node .claude/scripts/set-active-plan.cjs(referenced inSKILL.mdandreferences/plan-organization.md) to manage state. Executing local scripts that are not included in the skill package itself constitutes unverified code execution. - EXTERNAL_DOWNLOADS (MEDIUM): The
references/research-phase.mdfile encourages the use ofrepomix --remote <github-repo-url>to fetch and summarize remote repositories. This facilitates the ingestion of untrusted external content into the agent's context. - PROMPT_INJECTION (LOW): The skill exhibits a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: The agent reads local codebase files, research reports, and remote GitHub repositories.
- Boundary markers: None specified; there are no instructions to treat ingested content as data-only or to ignore embedded instructions.
- Capability inventory: The agent can execute shell commands (
node,gh,repomix) and spawn sub-agents. - Sanitization: No sanitization or validation of external content is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata