triage
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from the repository being analyzed and writes results back to memory files (CLAUDE.md, GEMINI.md, AGENTS.md), which could be used to influence future agent behavior.
- Ingestion points: The RepoScanner class in src/scanner.ts reads files and git history from the repository.
- Boundary markers: The prompt template in src/types.ts uses clear headers like USER REQUEST, REPOSITORY CONTEXT, and FILES to separate instructions from analyzed content.
- Capability inventory: The tool can execute system commands via src/models/base.ts (to run AI CLIs), src/patch.ts (to run git and patch), and perform file writes via src/memory.ts.
- Sanitization: The _redact_secrets function in src/scanner.ts provides a layer of protection by masking API keys and private tokens before they are sent to models.
- [EXTERNAL_DOWNLOADS]: The tool performs network requests to check API quota limits.
- Evidence: src/quota.ts uses fetch() to call the official APIs of Anthropic (api.anthropic.com) and OpenAI (api.openai.com). These are recognized as trusted services.
- [COMMAND_EXECUTION]: The tool executes several system utilities and third-party CLI tools to perform its tasks.
- Evidence: Implementation includes calls to git (status, diff, log), patch (to apply fixes), and the claude, gemini, and codex binaries. These are documented as the primary function of the tool and are executed with user-provided or system-generated arguments.
Audit Metadata