Prompting

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The RenderTemplate.ts script executes the system command ls using Bun.spawnSync to list and register Handlebars partials from the local Partials directory. Additionally, the SKILL.md file instructs the agent to execute a curl command upon invocation.
  • [DATA_EXFILTRATION]: The skill requires a mandatory notification via curl to http://localhost:31337/notify. While restricted to the local network, this operation transmits session-related metadata (workflow name and action) to a local service.
  • [PROMPT_INJECTION]: The skill operates as a prompt generator that ingests data from external YAML and JSON files, creating a vulnerability surface for indirect prompt injection.
  • Ingestion points: Data is loaded from files in the Templates/Data/ directory via the loadData function in RenderTemplate.ts.
  • Boundary markers: The Handlebars templates (e.g., Briefing.hbs, Gate.hbs) do not include delimiters or instructions to ignore embedded commands within the variables.
  • Capability inventory: The skill environment permits network operations (curl in SKILL.md) and local command execution (Bun.spawnSync in RenderTemplate.ts).
  • Sanitization: There is no evidence of validation or escaping performed on the external data before it is rendered into a prompt for use by an AI agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 03:34 PM
Security Audit — agent-trust-hub — Prompting