learn-codebase
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The instruction to read "EVERY SOURCE FILE IN FULL" creates a significant risk of data exposure, as it encompasses sensitive files such as environment variables (
.env), credentials, and private project configurations that are typically excluded from general context processing. - [PROMPT_INJECTION]: The skill uses authoritative language ("critical and non negotiable") designed to override the agent's internal constraints regarding resource limits, token usage, or safety-based selective reading.
- [PROMPT_INJECTION]: The skill enables indirect prompt injection by systematically ingesting all codebase content, creating a large surface area for malicious instructions embedded in untrusted source files to execute within the agent's context.
- Ingestion points: The agent is instructed to use the
Readtool on every file in the codebase. - Boundary markers: Absent; the skill lacks delimiters or instructions to ignore commands found within the processed files.
- Capability inventory: The skill explicitly directs the use of the
Readtool with paging capabilities (offset,limit). - Sanitization: Absent; no filtering or validation is performed on the ingested file contents.
- [COMMAND_EXECUTION]: The skill provides explicit logic for using external tools (
Read) to systematically traverse the filesystem and retrieve full file contents.
Audit Metadata