refactor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection. The skill is designed to read and process external code files which may contain malicious instructions disguised as comments or code. Without explicit boundary markers or instructions to ignore embedded commands, the agent might follow instructions found within the files it is refactoring.
- Evidence (Ingestion): Uses
ReadandGreptools to ingest content from user-specified files or patterns (e.g.,src/core/*.py). - Evidence (Capabilities): Possesses
EditandBashtools, allowing it to modify the filesystem or execute arbitrary shell commands based on malicious input. - Evidence (Sanitization): No sanitization or safety delimiters are defined in the skill logic to isolate code content from agent instructions.
- [COMMAND_EXECUTION] (MEDIUM): The skill allows the use of the
Bashtool. While intended for refactoring-related tasks, the lack of constraints on its use in the presence of external data increases the risk of arbitrary command execution if an injection occurs.
Recommendations
- AI detected serious security threats
Audit Metadata