extract-service
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to run developer-defined verification commands, such as test runners and build scripts, during the refactoring process. This execution is protected by a mandatory operator-approval step where the plan is reviewed before any commands are executed.
- [PROMPT_INJECTION]: The skill has a theoretical surface for Indirect Prompt Injection because it reads and analyzes external source code. A malicious instruction embedded in the scanned code could attempt to influence the Planner Agent to suggest dangerous verification commands.
- Ingestion points: Source code files scanned in Scanner Agent (agents/scanner-agent.md).
- Boundary markers: Relies on procedural instructions to agents to maintain a "Two-layer purity" (G7) and separate operational logic from domain logic.
- Capability inventory: High-privilege tools including Bash, Write, Edit, and the ability to dispatch multiple agents.
- Sanitization: Mitigated by the mandatory Operator-approval gate (references/procedures/critical-gates.md) and post-migration review by the Critic Agent.
- [SAFE]: The repository includes local automation scripts (scripts/manifest-sync.ts, scripts/bootstrap-experience.ts) that implement defensive measures, such as verifying that directories and files are not symbolic links, to prevent file system traversal attacks.
Audit Metadata