deploying-infra
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted data (infrastructure configuration files) that could contain malicious instructions designed to influence the agent's behavior during the review or application phase.
- Ingestion points: Infrastructure files such as
**/*.tf,**/*.yaml, andDockerfileare discovered viaGloband read into context during Step 2 and Step 3. - Boundary markers: There are no explicit delimiters or 'ignore embedded instructions' warnings defined when the agent presents diffs or passes configurations to the
infra-engineersubagent. - Capability inventory: The skill has extensive command-line capabilities, including
Bash(kubectl *),Bash(terraform *),Bash(helm *), andBash(docker *). - Sanitization: The instructions do not specify any sanitization or escaping of the file contents before they are interpolated into the prompt for the subagent or presented to the user.
- [COMMAND_EXECUTION]: The skill's YAML frontmatter requests broad
Bashtool permissions using wildcards (e.g.,Bash(kubectl *),Bash(terraform *)). While these are necessary for the skill's primary function of infrastructure management, they grant the agent the ability to execute any subcommand within those toolsets, increasing the impact of a potential prompt injection or misstep. - [EXTERNAL_DOWNLOADS]: The skill utilizes
mcp__perplexity-ask__perplexity_askto fetch current best practices. This is a reference to a well-known external research service used to provide updated guidance on technology concerns during the validation phase.
Audit Metadata