Skills
skills/callstackincubator/agent-device/dogfood/Gen Agent Trust Hub

dogfood

Pass

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingest and processes untrusted UI data from mobile applications being tested.
  • Ingestion points: UI snapshots and element trees are captured via the agent-device snapshot -i command in SKILL.md.
  • Boundary markers: The instructions do not define explicit boundary markers or "ignore instructions" delimiters for the UI text processed during exploration.
  • Capability inventory: The skill possesses the ability to execute shell commands via Bash (specifically the agent-device CLI) as defined in the frontmatter and SKILL.md.
  • Sanitization: There is no evidence of sanitization or filtering of UI-derived text before it is returned to the agent's context for decision-making.
  • [REMOTE_CODE_EXECUTION]: The skill uses npx to execute the agent-device tool from the NPM registry.
  • Evidence: The frontmatter allows Bash(npx agent-device:*) and instructions suggest its use for mobile interaction.
  • Context: This is considered a safe practice as it utilizes a well-known package registry for standard tooling.
  • [COMMAND_EXECUTION]: The skill uses local shell commands for session management and file organization.
  • Evidence: Uses mkdir -p and cp commands in SKILL.md to set up output directories and report templates.
  • Context: These operations are restricted to the local workspace and are necessary for the skill's stated purpose of generating QA reports.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 29, 2026, 01:00 AM