techdebt
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted content from the user's codebase.
- Ingestion Points: The skill reads file content for analysis through
git diffor entire codebase scans as described in Step 1 of theSKILL.mdworkflow. - Boundary Markers: The instructions for spawning subagents do not define strict delimiters or include 'ignore embedded instructions' warnings when passing codebase snippets into the analysis prompts.
- Capability Inventory: The agent possesses capabilities to read files, spawn subagents, and modify the filesystem via its
--fixmode. - Sanitization: There is no documentation of sanitization or filtering logic applied to codebase data before it is interpolated into agent instructions.
- [COMMAND_EXECUTION]: The skill performs extensive interaction with the local system through various CLI tools and file operations.
- Tool Invocation: The skill relies on external tools including
ast-grep,radon,pylint,eslint,jscpd,gocyclo,golangci-lint,cargo-audit, andclippy. If file names or contents are handled unsafely during tool invocation, it could lead to command injection. - File Modification: The
--fixmode involves writing changes back to the filesystem. Although user confirmation is required, the logic for generating these 'fixes' is influenced by the potentially untrusted data being analyzed.
Audit Metadata