axiom-tools
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile uses high-pressure imperative language within<EXTREMELY-IMPORTANT>tags, stating that following the skill's workflow is "not negotiable" and that the agent has "NO CHOICE." This pattern is used to force the model to prioritize these instructions over its core system prompt.- [COMMAND_EXECUTION]: The skill documentation encourages the execution of local CLI toolsxclogandxcsym. While these are documented as part of the Axiom toolset, they involve operations such as launching/terminating simulator apps and searching system-wide directories like~/Library/Developer/Xcode/Archives.- [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted external data via logs and crash reports (e.g.,.ips,.crash, MetricKit). There are no boundary markers or instructions provided to the agent to ignore potentially malicious content embedded within these data sources, creating a surface for indirect prompt injection. - Ingestion points:
xclog-ref.md(logs viaxclog launch/attach),xcsym-ref.md(crash reports viaxcsym crash). - Boundary markers: Absent.
- Capability inventory: Shell command execution via
xclogandxcsym. - Sanitization:
xcsym anonymizeis mentioned for PII removal, but no sanitization is performed for prompt injection content within log messages or stack traces.
Audit Metadata