main-router
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill defines a 'Full Automation Mode' that explicitly instructs the agent to bypass human-in-the-loop safety checkpoints, such as 'Continue?' prompts or user choices, making all execution decisions autonomously based on its own confidence scores.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting and acting upon untrusted data from local project files.\n
- Ingestion points: Reads instructions and context from files including
./CLAUDE.md,PROJECTWIKI.md, andCHANGELOG.md(SKILL.md Phase 0.1).\n - Boundary markers: The skill does not implement delimiters or explicit 'ignore' instructions for the data read from these local files.\n
- Capability inventory: The router can invoke powerful MCP tools such as
mcp__zen__clink(CLI access),mcp__zen__planner, andmcp__zen__codereview.\n - Sanitization: Content from project files is used to influence routing and execution logic without sanitization or validation mechanisms.\n- [COMMAND_EXECUTION]: The skill coordinates the execution of the
mcp__zen__clinktool, which is used to launch and interact with a command-line interface (Gemini CLI) within a WSL environment for analysis and generation tasks.\n- [DATA_EXFILTRATION]: The skill references hardcoded absolute file paths on the local system, specifically/home/vc/.claude/CLAUDE.mdand/home/vc/.claude/AGENTS.md, which exposes the host's directory structure and username.
Audit Metadata