bonfire-end
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted external data from Git commit messages, GitHub PR/Issue titles, and conversation history to generate summaries and archive entries.
- Ingestion points: Step 1 (Git commits), Step 7.1 (GitHub PR titles/states via
gh pr view), and Step 7.3 (conversation signals). - Boundary markers: Absent. The skill does not explicitly instruct the agent to ignore instructions embedded within the PR titles or commit messages it reads.
- Capability inventory: The skill can execute shell commands (
git commit,gh pr view,linear issue update,rm .bonfire/*) and write to local files (.bonfire/index.md, archive files). - Sanitization: The skill uses specific patterns (e.g.,
#[0-9]+for PR numbers) which reduces the risk of command injection, but the LLM remains potentially susceptible to instructions embedded in the text content of those external sources. - Command Execution (SAFE): While the skill uses destructive commands like
rm .bonfire/*, these are strictly scoped to the skill's own configuration directory and require theBashtool permissions already granted in the metadata. - Data Exposure (SAFE): The skill accesses local configuration files (
.bonfire/config.json) and session logs, but does not access sensitive system paths (like~/.ssh) or exfiltrate data to non-whitelisted domains.
Audit Metadata