add-community-extension
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core workflow of processing external, user-provided content.
- Ingestion points: The agent reads content from untrusted GitHub issue submissions (issue URL/number) and fetches metadata from third-party repositories (extension.yml, README.md, and release tags).
- Boundary markers: Absent. The instructions do not provide delimiters or guidance to ignore instructions that might be embedded within the extension's name, description, or repository content.
- Capability inventory: The skill allows the agent to modify local files (
catalog.community.json,extensions.md), execute shell commands (git,python3), push code to remote branches, and open pull requests to the upstream repository. - Sanitization: While the skill enforces structural validation for certain fields (regex for extension IDs and semver for versions), it lacks sanitization for free-text fields like the extension description, which are directly interpolated into the catalog and documentation.
Audit Metadata