section-refactor-with-todo-routing
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8). Because it ingests arbitrary content from the
target_fileto generate summaries, meanings, and 'guide notes', a malicious file could include instructions that trick the agent into producing unintended output or leaking parts of its system context. 1) Ingestion points: Thetarget_fileparameter provides the source data. 2) Boundary markers: The skill relies on standard Markdown headings (H1-H6) but lacks explicit sanitization or instructions to ignore commands inside the processed text. 3) Capability inventory: The agent reads file content and outputs refactored text. 4) Sanitization: No sanitization or escaping of external content is specified before interpolation into the final output. - DATA_EXPOSURE (SAFE): The skill accesses local files as part of its primary function. There are no patterns suggesting unauthorized access to sensitive system paths (like ~/.ssh) or network-based exfiltration of the data being processed.
Audit Metadata