security-threat-review
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform reconnaissance on the local file system. It executes commands such asfind,grep,cat, andwcto identify API routes, Server Actions, security modules, and database policies. These operations are diagnostic in nature and consistent with the skill's stated purpose of auditing the application's security state.\n- [PROMPT_INJECTION]: The skill's workflow creates an indirect prompt injection surface by retrieving and passing raw application source code to Large Language Model (LLM) agents for evaluation.\n - Ingestion points: Code and configuration data are ingested from
src/app/api,src/app/actions,src/lib/security,supabase/migrations/, andsrc/lib/test-mode.tsduring Phase 0.\n - Boundary markers: The Phase 1 prompts use structural headers (e.g., '## アプリ概要') but lack explicit instructions to the sub-agents to ignore or treat embedded commands within the audited codebase as non-authoritative.\n
- Capability inventory: The skill possesses extensive capabilities including
Bashcommand execution, file system access (Read,Glob), and the ability to spawn further sub-processes (Task).\n - Sanitization: There is no evidence of content sanitization, escaping, or validation of the files retrieved from the repository before they are interpolated into the context for the 'red-team-attacker' and 'blue-team-defender' tasks.
Audit Metadata