astro-actions
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The SKILL.md file contains mandatory workflow instructions that attempt to override and strictly define the agent's behavior.
- Evidence: The 'Agent Workflow (MANDATORY)' section in SKILL.md requires the spawning of specific agents and execution of tasks 'Before ANY implementation'.
- [PROMPT_INJECTION]: The skill describes patterns for ingesting untrusted data through server actions, creating a surface for indirect prompt injection.
- Ingestion points: HTML forms (references/forms.md) and JSON payloads (references/templates/json-action.md) processed by the 'handler' function.
- Boundary markers: No explicit prompt-level delimiters or 'ignore' instructions are provided in the code templates to separate user data from system instructions.
- Capability inventory: Actions are shown performing database mutations (db.newsletter.create, db.posts.like) and console logging in references/defining-actions.md and references/templates/contact-form.md.
- Sanitization: The skill correctly mandates the use of Zod schema validation ('Always define input schema — Never skip Zod validation') to enforce data types, which provides partial mitigation against malformed data but does not address natural language injection.
Audit Metadata