apr
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains a hardcoded authentication token ("flywheel-apr-2026") and static remote host IP addresses (e.g., 100.114.183.31) in the configuration instructions for the Oracle remote setup.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of a global NPM package ("@steipete/oracle") from a third-party namespace to facilitate browser automation, which introduces an external dependency risk.
- [COMMAND_EXECUTION]: The skill instructs the agent to modify shell configuration files ("~/.zshrc") to persist environment variables ("ORACLE_REMOTE_HOST", "ORACLE_REMOTE_TOKEN"). This establishes a persistence mechanism that ensures external host and token information are loaded in every new session.
- [PROMPT_INJECTION]: The workflow automates the ingestion of external data from AI-generated outputs (".apr/rounds/fcp/round_.md") and applies it directly to project files. This creates a surface for indirect prompt injection.
- Ingestion points: Files located at
.apr/rounds/fcp/round_N.mdcontaining GPT Pro outputs. - Boundary markers: Absent; the instructions do not specify delimiters or warnings to ignore embedded instructions in the ingested content.
- Capability inventory: The skill has capabilities to write to local files (FCP_Specification_V2.md, README.md, docs/fcp_model_connectors_rust.md), perform git commits, and push changes to remote repositories.
- Sanitization: Absent; the skill applies revisions (structs, enums, comments) directly from the external output to the codebase without validation or sanitization steps.
Recommendations
- AI detected serious security threats
Audit Metadata