type-design-analyzer
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from task contexts, issues, and pull requests.
- Ingestion points: The heredoc block in
SKILL.mdaccepts arbitrary task context and PR/issue data. - Boundary markers: Uses
<<'EOF'which successfully prevents shell expansion of the input, but does not protect the subagent from instructions embedded within the text. - Capability inventory: Invokes
codex-subagent, a tool that performs reasoning and analysis. The output is 'folded back into the main workflow', meaning a malicious PR description could influence the parent agent's logic or subsequent actions. - Sanitization: No evidence of sanitization or content filtering is present.
- [COMMAND_EXECUTION] (LOW): The skill executes a local command
codex-subagent. While the execution path is direct and avoids shell injection via quoted heredocs, the command's behavior depends on the integrity of the local environment and the subagent's internal logic.
Audit Metadata