agents-md-evals
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a 'Clean Baseline Protocol' that moves global agent configuration files (
~/.claude/CLAUDE.md,~/.codex/AGENTS.md,~/.cursor/AGENTS.md) and project memory directories to a temporary backup directory. Because these files are located outside the immediate workspace and affect the global behavior of the AI agent, any failure to restore them (e.g., due to a process crash or user interruption) would result in a persistent modification of the user's environment.\n- [COMMAND_EXECUTION]: Thegenerate_review.pyutility uses a combination oflsofandos.killto terminate processes occupying its target port. This is an aggressive approach to process management that involves sending termination signals to other system processes.\n- [PROMPT_INJECTION]: The skill processes untrusted content from the codebase, specificallyAGENTS.md/CLAUDE.mdinstruction files and git commit history, to generate and grade evaluation prompts. This constitutes an indirect prompt injection surface where malicious instructions in the analyzed data could attempt to bypass the grader's logic or influence the final analysis.\n - Ingestion points:
SKILL.mdidentifies and reads all instruction files in the project root and global config directories;analyzer.mdandgrader.mdconsume transcripts and outputs generated from this data.\n - Boundary markers: The skill relies on natural language instructions for subagents but lacks strict delimiters or escape sequences to separate the data being analyzed from the agent's instructions.\n
- Capability inventory: The skill can move files, execute Python scripts, and run a local web server, providing a range of actions that could be targeted by an injection.\n
- Sanitization: No explicit sanitization or filtering is performed on the ingested instruction files or git logs before they are presented to the LLM.
Audit Metadata