experts
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is inherently exposed to indirect prompt injection because its primary function requires processing untrusted external data from project files and URLs. This is a known risk factor for auditing tools.
- Ingestion points: Project content is ingested from the local file system via the
[PATH]variable and from external websites via the[URL]variable when browser tools are active. - Boundary markers: The current subagent prompt template does not utilize explicit delimiters (e.g., XML tags or triple backticks with 'ignore' instructions) to separate the analyzed project data from the agent's core instructions.
- Capability inventory: Reviewer agents have access to file-reading and browser-inspection tools. However, the skill implements a strict 'no-code guard' ('Do NOT write any code — only research and report findings') which prevents agents from executing instructions found within the data.
- Sanitization: The skill does not currently include instructions for sanitizing or filtering input project data before it is reviewed by the subagent personas.
Audit Metadata