data-leakage-prevention
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to run pre-commit hooks found in the repository's
.pre-commit-config.yamlfile during the audit process. Since these hooks can point to arbitrary scripts or binaries, this creates a path for remote code execution if an attacker can control the contents of the repository being audited. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it requires the agent to perform a "semantic fuzz review" of untrusted data from files and git diffs without implementing boundary markers or sanitization.
- Ingestion points: Target files, directories, and git diffs identified in the audit boundary (as described in
SKILL.mdandreferences/scope_discovery.md). - Boundary markers: No explicit delimiters or instructions are provided to help the agent distinguish between its instructions and the content being reviewed.
- Capability inventory: The agent has the capability to execute git commands, read the local filesystem, and run local Python scripts and pre-commit hooks.
- Sanitization: No sanitization or filtering of the audited content is performed before it is processed by the agent's semantic review logic.
- [EXTERNAL_DOWNLOADS]: The
pii_scan.pyscript utilizes the Stanza NLP engine which is configured to automatically download language models from official Stanford Stanza repositories if they are not found locally. - [COMMAND_EXECUTION]: The skill makes extensive use of system commands, including git for identity and history inspection, and the
uvtool for executing bundled Python scripts with managed dependencies.
Audit Metadata