verify

Pass

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by design, as it interprets and passes untrusted instructions from a manifest file to other agents.
  • Ingestion points: The skill reads and processes the manifest file (<manifest-file-path>), execution logs (<execution-log-path>), and discovery logs provided via arguments or found in the environment.
  • Boundary markers: The instructions in SKILL.md explicitly mandate passing the manifest's prompt: or command: fields "verbatim" and forbid the orchestrator from adding its own framing, opinions, or severity thresholds. There are no delimiters or instructions to subagents to ignore potentially malicious embedded content within the manifest data.
  • Capability inventory: The skill is capable of spawning various subagents, including criteria-checker agents and routing to bash or codebase verifiers, which could lead to code execution if those agents are misled by malicious manifest content.
  • Sanitization: No sanitization, validation, or escaping of the manifest-provided text is performed before it is interpolated into subagent prompts.
Audit Metadata
Risk Level
SAFE
Analyzed
May 1, 2026, 06:36 AM
Security Audit — agent-trust-hub — verify