debt-audit
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses standard system utilities such as
grepandwcto count lines and identify patterns in source files for the purpose of technical debt analysis. - [PROMPT_INJECTION]: The skill scans untrusted data within code comments (TODO, FIXME, etc.). This creates an indirect prompt injection surface, but the risk is assessed as safe because the skill only uses this data to populate a local Markdown report and does not execute the extracted text.
- Ingestion points: Project source files identified during the pre-scan setup.
- Boundary markers: None explicitly used for report content.
- Capability inventory: Reads local files, executes grep/wc, and writes to
DEBT-REPORT.md. - Sanitization: No explicit sanitization or escaping of extracted comment strings.
Audit Metadata