axiom-tools

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The SKILL.md file uses high-pressure imperative language within <EXTREMELY-IMPORTANT> tags, stating that following the skill's workflow is "not negotiable" and that the agent has "NO CHOICE." This pattern is used to force the model to prioritize these instructions over its core system prompt.- [COMMAND_EXECUTION]: The skill documentation encourages the execution of local CLI tools xclog and xcsym. While these are documented as part of the Axiom toolset, they involve operations such as launching/terminating simulator apps and searching system-wide directories like ~/Library/Developer/Xcode/Archives.- [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted external data via logs and crash reports (e.g., .ips, .crash, MetricKit). There are no boundary markers or instructions provided to the agent to ignore potentially malicious content embedded within these data sources, creating a surface for indirect prompt injection.
  • Ingestion points: xclog-ref.md (logs via xclog launch/attach), xcsym-ref.md (crash reports via xcsym crash).
  • Boundary markers: Absent.
  • Capability inventory: Shell command execution via xclog and xcsym.
  • Sanitization: xcsym anonymize is mentioned for PII removal, but no sanitization is performed for prompt injection content within log messages or stack traces.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 11:45 AM
Security Audit — agent-trust-hub — axiom-tools