planning
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill instructions in
references/codebase-understanding.mdexplicitly direct the agent to analyzedotenvfiles and configuration. These files frequently contain plaintext secrets, API keys, and database credentials, exposing them to the model context. - [PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection (Category 8) due to the ingestion of untrusted external content.
- Ingestion points: The agent reads remote repositories using
repomix --remoteand analyzes GitHub issues, pull requests, and logs via theghcommand. - Capability inventory: The agent can create files (plans), execute shell commands (
repomix,gh), and its output is intended to guide implementation by developers or other agents. - Boundary markers: None identified. There are no instructions to the agent to treat external content as untrusted or to ignore embedded instructions.
- Sanitization: No sanitization or validation of the remote content is mentioned before it is processed into implementation plans.
- [COMMAND_EXECUTION] (MEDIUM): The skill uses the
repomixtool to process remote repository URLs and theghCLI to interact with GitHub. Executing tools against untrusted remote resources can be exploited if the tools themselves have vulnerabilities or if the output is used to construct further commands.
Recommendations
- AI detected serious security threats
Audit Metadata