architecture-research
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to install a peer skill (
clawhub install diagrams) and to run a Node.js rendering script (node <diagrams-skill-dir>/scripts/render-elk.mjs) using dynamically generated JSON input. - [EXTERNAL_DOWNLOADS]: The workflow requires the agent to clone external Git repositories and perform web searches to gather context, which involves fetching data from untrusted third-party sources.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and analyzes external source code and documentation. Malicious instructions placed in a repository could attempt to subvert the agent's behavior during the research process.
- Ingestion points: The agent reads source code (files) and external documentation (web content) in steps 1 and 2 of the workflow.
- Boundary markers: No specific delimiters or safety instructions are provided to the agent to distinguish between data (code) and instructions when reading files.
- Capability inventory: The agent has permissions to write files, access the network, and execute shell commands (via node).
- Sanitization: The instructions do not define any sanitization or validation logic for the content ingested from external repositories.
Audit Metadata