cook
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data and instruct the agent to execute code changes based on that data without protection.
- Ingestion points: User input is accepted through the
$ARGUMENTSvariable inSKILL.md. - Boundary markers: Absent. The user input is directly concatenated to the instructions without delimiters (e.g., triple backticks or XML tags) to separate instructions from data.
- Capability inventory: The description explicitly states the purpose is to "start coding, refactoring, or building features," which implies the agent has file-system or repository write access.
- Sanitization: None. There is no evidence of input validation, escaping, or filtering before the input is processed by the model.
- Impact: An attacker could provide a payload in the argument that overrides the skill's purpose, potentially exfiltrating code or injecting malicious logic into the codebase the agent is working on.
Recommendations
- AI detected serious security threats
Audit Metadata