document-writer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external sources.
- Ingestion points: Processes 'ai-todo list' files and 'explores codebases' using search tools in SKILL.md (Steps 1 & 2).
- Boundary markers: Absent. There are no instructions to delimit or ignore instructions embedded within the codebase or todo lists.
- Capability inventory: The skill can read/write files and, critically, execute commands and verify code examples.
- Sanitization: Absent. No validation or filtering of the content found in the codebase before execution or documentation.
- Command Execution (HIGH): The skill mandates the execution of arbitrary commands found in the documentation to ensure accuracy.
- Evidence: 'Test all commands: Run every command you document' and 'Verify all code examples: Every code snippet must be tested' (Code of Conduct, Section 4).
- Risk: An attacker could place malicious commands in a README or source code file. The agent, following its 'Code of Conduct' to verify accuracy, would execute these commands on the host system.
- Dynamic Execution (MEDIUM): The skill likely uses a runtime environment to test the code examples it discovers.
- Evidence: The workflow requires verifying API request/response examples and installation instructions (Workflow Step 5).
Recommendations
- AI detected serious security threats
Audit Metadata