review-and-improve
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8).
- Ingestion points: The skill reads nearly all files in the repository, including
README.md,AGENTS.md, code files inapp/,agents/,workflows/, and other configuration files inSKILL.md. - Boundary markers: There are no explicit instructions or delimiters used when processing these files to prevent the agent from obeying instructions potentially embedded within the repository content.
- Capability inventory: The skill has extensive capabilities, including writing to files (auto-fixing drift), executing shell commands (
curl,docker,git,grep,jq), and running repository-specific scripts (./scripts/format.sh,./scripts/validate.sh). - Sanitization: No sanitization or validation of the content read from files is described before it is used to inform agent actions or written back to other files.
- [COMMAND_EXECUTION]: The skill executes several local shell commands and repository scripts to perform its tasks.
- Evidence: Commands include
curl(targetinglocalhost:8000),docker compose,grep,jq,source .venv/bin/activate,git, and local scripts like./scripts/format.shand./scripts/validate.sh. - Intent: These actions are consistent with the skill's purpose of verifying repository state and running smoke tests, but users should be aware that the agent will execute these commands in their local environment.
Audit Metadata