review-and-improve

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8).
  • Ingestion points: The skill reads nearly all files in the repository, including README.md, AGENTS.md, code files in app/, agents/, workflows/, and other configuration files in SKILL.md.
  • Boundary markers: There are no explicit instructions or delimiters used when processing these files to prevent the agent from obeying instructions potentially embedded within the repository content.
  • Capability inventory: The skill has extensive capabilities, including writing to files (auto-fixing drift), executing shell commands (curl, docker, git, grep, jq), and running repository-specific scripts (./scripts/format.sh, ./scripts/validate.sh).
  • Sanitization: No sanitization or validation of the content read from files is described before it is used to inform agent actions or written back to other files.
  • [COMMAND_EXECUTION]: The skill executes several local shell commands and repository scripts to perform its tasks.
  • Evidence: Commands include curl (targeting localhost:8000), docker compose, grep, jq, source .venv/bin/activate, git, and local scripts like ./scripts/format.sh and ./scripts/validate.sh.
  • Intent: These actions are consistent with the skill's purpose of verifying repository state and running smoke tests, but users should be aware that the agent will execute these commands in their local environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 01:03 PM
Security Audit — agent-trust-hub — review-and-improve