onboarding
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bundled JavaScript file
scripts/inventory.mjsusing Node.js to perform a structural analysis of the repository. While this is part of the intended functionality, it involves executing local script content in the agent's environment. - [DATA_EXFILTRATION]: The 'Share to Proof' feature in
SKILL.md(Phase 5) usescurlto send the full content of the generatedONBOARDING.mdtohttps://www.proofeditor.ai/share/markdown. This involves sending a summary of the repository's architecture, dependencies, and internal structure to a non-whitelisted third-party domain. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It reads content from numerous files within the repository (READMEs, route handlers, entry points, etc.) and incorporates their logic into the generation of the onboarding document without explicit boundary markers or instructions to ignore embedded commands.
- Ingestion points: Files identified in
SKILL.mdPhase 2 (README.md, entry points, route/controller files, config files, etc.). - Boundary markers: Absent; there are no specific delimiters used to wrap ingested content or instructions to prevent the agent from following directions found within those files.
- Capability inventory: The skill can execute shell commands (
node,curl,jq) and write files to the local file system. - Sanitization: Absent; the skill does not filter or sanitize the contents of the files it reads before processing them.
Audit Metadata