cook-auto-fast

Pass

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill instructs the agent to "skip research phase" and operate in "Autonomous mode: no user confirmation," which overrides standard safety protocols and encourages the agent to bypass standard quality gates. It also directs the agent to "skip code review step" during the implementation phase.
  • [PROMPT_INJECTION]: An indirect prompt injection surface is present. 1. Ingestion: The skill reads docs/project-reference/domain-entities-reference.md, which contains auto-injected content. 2. Boundary: It suggests checking for an [Injected: ...] header, which is an insufficient boundary for untrusted data. 3. Capability: The agent has tools for file modification and script execution. 4. Sanitization: No sanitization is performed on the injected content before it enters the context.
  • [COMMAND_EXECUTION]: The skill executes a project-local script python .claude/scripts/code_graph. This relies on the integrity of the project environment and could be exploited if malicious scripts are placed in the expected path.
  • [COMMAND_EXECUTION]: User-supplied $ARGUMENTS are interpolated into the <tasks> block, allowing unvetted input to define the agent's behavior and task execution list.
  • [SAFE]: The skill includes "Red Flag Stop Conditions" that mandate user escalation for security-sensitive operations (auth, crypto, PII), providing a necessary safety check against its autonomous implementation strategy.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 29, 2026, 09:19 AM
Security Audit — agent-trust-hub — cook-auto-fast