tech-debt
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a legitimate utility for codebase maintenance with no identified malicious patterns. All operations are confined to the local filesystem for reading and updating technical debt documentation.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests untrusted text from the codebase (e.g., TODO or FIXME comments). * Ingestion points: codebase files scanned via the Grep and Read tools during the scan subcommand. * Boundary markers: No explicit markers or instructions are provided to delineate untrusted comment text from the agent's logic. * Capability inventory: The skill's capabilities are restricted to Read, Glob, Grep, and Write tools for managing local files. * Sanitization: The instructions do not specify any validation or sanitization for the content of scanned code comments.
Audit Metadata