docs-pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection. It ingests untrusted data from source code files (src/) and pull request descriptions which it uses to draft documentation. Because the skill has 'Bash' and 'Write' tool permissions, an attacker can embed instructions in code docstrings that the agent may mistakenly execute as commands.\n
- Ingestion points: Source code, docstrings, and PR descriptions (referenced in references/ai-collaboration.md and SKILL.md).\n
- Capability inventory: Explicitly permits 'Bash', 'Write', and 'Read' tools. Commands like 'git diff' and 'yarn prettier --write' are used within instructions.\n
- Boundary markers: None present to distinguish untrusted data from instructions.\n
- Sanitization: No sanitization or filtering logic is defined for processed content.\n- [COMMAND_EXECUTION] (HIGH): The skill encourages the agent to use shell commands such as 'git diff', 'rg', and 'ls' for auditing documentation coverage. The 'docs-write' sub-skill explicitly grants the agent 'Bash' tool access, creating a direct path for command execution if triggered by injected instructions.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The 'documentation-lookup' module depends on external APIs (Context7) to resolve library IDs and fetch documentation at runtime. While these are intended for retrieval-augmented generation, they introduce a dependency on external content that could be manipulated to influence the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata