Skills
skills/duc01226/easyplatform/sync-to-copilot/Gen Agent Trust Hub

sync-to-copilot

Pass

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Node.js script at .claude/scripts/sync-copilot-workflows.cjs. This script performs the initial generation of instruction files.\n- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it reads untrusted data from documentation files and interpolates it into instruction files used by another AI.\n
  • Ingestion points: The agent reads markdown files from docs/project-reference/ and configuration from docs/copilot-registry.json.\n
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore potentially malicious commands embedded in the source documentation.\n
  • Capability inventory: The skill allows for local shell command execution via Node.js and the ability to modify project configuration files in the .github/ directory.\n
  • Sanitization: The skill does not perform any validation, filtering, or escaping of the headings and summaries extracted from source files before writing them to the output files.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 10, 2026, 07:25 AM
Security Audit — agent-trust-hub — sync-to-copilot