workspace
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on various shell commands, including
ls,grep,find, andcat, to perform file system discovery and extract technical metadata from the project structure. - [DATA_EXFILTRATION]: The skill performs cross-directory discovery by accessing sibling folders (
../). It specifically targets.git/configfiles in neighboring repositories (cat ../*/.git/config | grep 'url') to identify related repositories and their remote URLs. This constitutes a form of context escape and information harvesting from directories outside the initialized repository. - [PROMPT_INJECTION]: The skill provides an attack surface for indirect prompt injection (Category 8) due to its core function of ingesting and summarizing external, potentially untrusted data.
- Ingestion points: The skill reads and parses content from
package.json,pyproject.toml,openapi.json, and general source code files across all detected workspace modules (inSKILL.md). - Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent to ignore instructions contained within the analyzed project files.
- Capability inventory: The skill enables recursive file system access and shell command execution across multiple repositories, providing a path for malicious instructions to trigger further file reads or system discovery (in
SKILL.md). - Sanitization: None. Data from external files is ingested and summarized directly into project documentation without validation or escaping.
Audit Metadata