onboarding
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted repository content to generate the
ONBOARDING.mdfile. - Ingestion points: Phase 2 reads various project files including
README.md, entry points, route handlers, and documentation files found in the repository. - Boundary markers: No specific delimiters or instructions are used to prevent the agent from following malicious instructions that might be embedded in the analyzed code or documentation.
- Capability inventory: The skill can execute local scripts (
inventory.mjs), write files to the repository, and perform network requests viacurl. - Sanitization: The skill does not perform validation or sanitization of the ingested repository content before processing.
- [DATA_EXFILTRATION]: The skill performs a network operation to an external third-party domain during the optional sharing phase.
- Evidence: Phase 5 uses
curlto POST the generated documentation content tohttps://www.proofeditor.ai/share/markdown. - Mitigation: The skill instructions explicitly forbid reading the
.envfile and include rules to ensure secrets like API keys and tokens are never included in the output. - [COMMAND_EXECUTION]: The skill executes shell commands to perform repository analysis and facilitate the sharing feature.
- Evidence: It executes
node scripts/inventory.mjsto map the repository andcurlto interact with the Proof Editor API if requested by the user.
Audit Metadata