research
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes untrusted content from the codebase.
- Ingestion points: Content is read from files using the
Read,Glob, andGreptools as specified inSKILL.md. - Boundary markers: No instructions are provided in
SKILL.mdto ignore embedded commands or differentiate between code and instructions. - Capability inventory: The agent's tools are restricted to reading and searching files; no tools for network access, file modification, or code execution are available.
- Sanitization: Content retrieved from the files is not filtered or sanitized before being incorporated into the output report.
- [DATA_EXFILTRATION]: The skill's instructions explicitly encourage searching for sensitive configuration data.
- Specifically, the workflow guidance in
SKILL.mdsuggests that the agent should "Find where and how Stripe API keys are configured and used," which can lead to the exposure of credentials to the agent's output context if they are stored within the scanned repository.
Audit Metadata