Skills
skills/getsentry/xcodebuildmcp/warden-sweep/Gen Agent Trust Hub

warden-sweep

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run throughout its scripts (scan.py, create_issue.py, organize.py, _utils.py) to execute CLI commands such as git, gh, and warden. These executions are central to the skill's purpose of scanning repositories and managing GitHub issues/PRs.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during the verification and patching phases.\n
  • Ingestion points: Untrusted data enters the agent's context through findings extracted from the codebase by the warden tool (e.g., in data/all-findings.jsonl).\n
  • Boundary markers: Prompts in references/verify-prompt.md and references/patch-prompt.md use markdown structures to delimit ingested finding data, but these do not provide strong protection against adversarial input.\n
  • Capability inventory: The agent has the ability to execute shell commands, manage git worktrees, modify local files, and perform network operations via the gh CLI.\n
  • Sanitization: There is no evidence of sanitization or escaping of finding metadata (titles, descriptions) before they are interpolated into the subagent prompts, which could allow malicious code comments to influence the subagent's behavior.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 03:42 AM
Security Audit — agent-trust-hub — warden-sweep