review-doc
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted document content and uses it to generate automated file edits. \n- [PROMPT_INJECTION]: Mandatory Evidence Chain: \n
- Ingestion points: The skill ingests content from a user-specified file path and any referenced documents (such as PRDs or style guides) using the Read tool (Workflow Steps 1 and 2). \n
- Boundary markers: The instructions do not define protective delimiters or warnings to ignore embedded instructions when passing ingested text to sub-agents via the Task tool (Workflow Steps 4a and 4b). \n
- Capability inventory: The skill utilizes the Edit tool to automatically apply 'fixes' derived from the document processing, and the Task tool to spawn sub-agents with potentially poisoned context (Workflow Step 5). \n
- Sanitization: No sanitization or validation of the document content is performed before it is interpreted by the model or used to modify the file system.
Audit Metadata