Skills
skills/donchitos/claude-code-game-studios/setup-engine/Gen Agent Trust Hub

setup-engine

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill ingests untrusted data from external web sources (engine migration guides, changelogs) and local files (design/gdd/game-concept.md) to generate project configuration and documentation. This creates an indirect prompt injection surface where instructions hidden in the data could influence agent behavior.
  • Ingestion points: design/gdd/game-concept.md, WebSearch results, and WebFetch content from official documentation URLs.
  • Boundary markers: None. The instructions do not specify the use of delimiters when interpolating external content.
  • Capability inventory: Write, Edit, Task, WebSearch, WebFetch.
  • Sanitization: None. The skill populates CLAUDE.md and technical-preferences.md with extracted data.
  • Mitigation: The workflow mandates user review and confirmation (via AskUserQuestion) before any modifications are committed to the file system.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 12:16 AM
Security Audit — agent-trust-hub — setup-engine