bonfire-document
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted data from the codebase using the
Readtool and possesses high-impact capabilities includingWriteandBash(git:*). A malicious file within the researched codebase could contain instructions that override the agent's behavior. - Ingestion points: Any file within the repository being documented (via
codebase-explorersubagent). - Boundary markers: None. The instructions do not define delimiters or provide 'ignore embedded instructions' warnings when processing code content.
- Capability inventory:
Write(file creation/modification),Bash(git:*)(command execution via git),Task(delegation to subagents). - Sanitization: No sanitization or validation of the content read from the codebase is specified before it is processed by the
writeragent. - [Command Execution] (MEDIUM): The skill utilizes the
Bash(git:*)tool. Although scoped to git operations, this allows for interaction with the local filesystem and version control system, which could be exploited if combined with a prompt injection or used to trigger malicious git hooks. - [Data Exposure] (LOW): The skill reads
.bonfire/config.json, which may contain configuration data. While expected for the skill's function, access to configuration files should be monitored for unauthorized access to sensitive metadata.
Recommendations
- AI detected serious security threats
Audit Metadata