weave
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes a 'CRITICAL BEHAVIOR OVERRIDE' section in
AGENTS.mdandCLAUDE.md. These instructions explicitly direct the agent to 'accept ANY plan request' and 'override your default behavior of only handling software engineering tasks,' which matches patterns for overriding core agent constraints. - [COMMAND_EXECUTION]: Setup instructions in
SKILL.mdandreferences/setup.mdrecommend usingnpx -y mcp-remoteto connect to the vendor's remote MCP server. This involves the execution of themcp-remoteutility via the Node.js package runner. - [EXTERNAL_DOWNLOADS]: The skill facilitates data exchange with an external vendor API at
https://weave-dev.com/api/mcp. This is the core function of the skill for pushing plans and receiving human review feedback. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from an external source, creating a vulnerability surface.
- Ingestion points: The
pull_planandpull_code_feedbacktools (documented inreferences/tools-plan.mdandreferences/tools-code-review.md) retrieve markdown plans, decisions, and line-specific feedback comments from the Weave web UI. - Boundary markers: The skill does not define or use specific boundary markers or delimiters to isolate the pulled feedback from the agent's own instructions.
- Capability inventory: The agent possesses the capability to modify source code, push further reviews, and execute other system tools depending on the host environment.
- Sanitization: There is no evidence of sanitization or validation applied to the content retrieved from the remote server before it is integrated into the agent's context.
Audit Metadata