graph-update
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The 'Closing Reminders' section employs high-pressure, imperative language ('MANDATORY IMPORTANT MUST ATTENTION') to dictate agent behavior and force adherence to a specific task management workflow.
- [PROMPT_INJECTION]: The instructions command the agent to use a tool named TaskCreate, which is not listed in the allowed-tools section of the skill's YAML frontmatter, representing a configuration mismatch.
- [COMMAND_EXECUTION]: The skill invokes a local script located at .claude/scripts/code_graph via the Bash tool. This involves executing code from the local filesystem that is not explicitly defined within the skill itself.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and parse untrusted data from the local working tree into a knowledge graph, creating an attack surface for instructions embedded in source code.
- Ingestion points: Changed, added, or deleted files in the local repository working tree (SKILL.md).
- Boundary markers: Absent. There are no instructions to ignore or delimit embedded natural language instructions within the code files being parsed.
- Capability inventory: The skill possesses Bash execution and Read capabilities, which could be exploited if malicious instructions in the code graph influence subsequent agent actions.
- Sanitization: Absent. The instructions do not specify any validation or sanitization of the content before it is processed into the graph.
Audit Metadata