update-docs
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests data from local project files that are then processed by AI subagents.
- Ingestion points: Step 1 reads the project root directory listing, and Step 3 reads the full text of documentation and source code files (e.g., README.md, src/server.ts).
- Boundary markers: There are no explicit delimiters or specific instructions to the subagents to ignore or treat embedded commands within the processed files as data only.
- Capability inventory: The skill has access to powerful tools including Bash, Read, and Agent (for subagent spawning), creating a high-impact environment if the agent is misled.
- Sanitization: The skill performs no sanitization or validation of the content read from files before it is interpolated into subagent briefings.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to perform project discovery tasks (e.g.,
ls). While intended for benign use, the availability of a shell interface represents a risk if the agent's instructions are subverted by malicious input from the files it reads.
Audit Metadata