Skills
skills/brave/brave-core/add-best-practice/Gen Agent Trust Hub

add-best-practice

Pass

Audited by Gen Agent Trust Hub on May 2, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It fetches untrusted data from GitHub PR comments and source code files, which are then processed by a subagent (Step 5.5). Maliciously crafted comments could attempt to influence the agent's behavior.
  • Ingestion points: User-provided GitHub PR URLs, gh api output for comments, and local source file content.
  • Boundary markers: Uses basic text headers like SOURCE CONTEXT: and DRAFTED BEST PRACTICE: in the subagent prompt, but lacks robust delimiters or escaping.
  • Capability inventory: High-privilege capabilities including Bash (git, gh, python3), Write, Edit, and Agent (subagent spawning).
  • Sanitization: No explicit sanitization or validation of the fetched comment text before passing it to the subagent.
  • [COMMAND_EXECUTION]: Executes local Python scripts resident in the repository (./.claude/skills/review/discover-bp-docs.py and ./script/manage-bp-ids.py). While these are vendor-provided scripts for the brave-core environment, they represent execution of local files.
  • [DATA_EXFILTRATION]: Performs network operations using gh api and WebFetch to retrieve data from GitHub and potentially other URLs provided in arguments. While used for legitimate context gathering, these tools could be used to reach non-whitelisted domains.
Audit Metadata
Risk Level
SAFE
Analyzed
May 2, 2026, 06:15 PM