explainer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection. The skill is designed to process external content that an agent might not own or control, combined with high-impact capabilities.
- Ingestion points: The 'Gather Full Context' section explicitly directs the agent to read code, tests, comments, and git history using
Read,Grep, andGlobtools. - Boundary markers: Absent. There are no instructions or delimiters defined to prevent the agent from obeying instructions embedded within the code or comments it is analyzing.
- Capability inventory: The skill allows the
Bashtool, which provides a direct path for arbitrary command execution. - Sanitization: Absent. There is no requirement for the agent to filter or sanitize the content it reads before processing it.
- [COMMAND_EXECUTION] (MEDIUM): The inclusion of
Bashin theallowed-toolslist is a high-privilege permission. While the skill's stated purpose is 'explaining,' the availability of a shell increases the potential for an attacker to transition from a prompt injection to full system compromise.
Recommendations
- AI detected serious security threats
Audit Metadata