bonfire-context
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and interpret content from external project files which act as untrusted data sources.
- Ingestion points: The instructions in
SKILL.md(Steps 3, 4, and 5) direct the agent to read.bonfire/index.md,.bonfire/specs/, and.bonfire/docs/. - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to ignore or isolate potential commands embedded within these files.
- Capability inventory: While the skill itself uses
ReadandGlob, it is intended for use in environments where the agent has extensive write and execute capabilities. Poisoned context could lead the agent to modify code maliciously or execute dangerous commands. - Sanitization: Absent. The agent is encouraged to "understand" and act upon the content without validation.
- [Command Execution] (LOW): The skill executes
git rev-parse --show-toplevel. While this is a shell command, it is a standard method for identifying the repository root and poses minimal risk in this context.
Recommendations
- AI detected serious security threats
Audit Metadata