extract-service

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to run developer-defined verification commands, such as test runners and build scripts, during the refactoring process. This execution is protected by a mandatory operator-approval step where the plan is reviewed before any commands are executed.
  • [PROMPT_INJECTION]: The skill has a theoretical surface for Indirect Prompt Injection because it reads and analyzes external source code. A malicious instruction embedded in the scanned code could attempt to influence the Planner Agent to suggest dangerous verification commands.
  • Ingestion points: Source code files scanned in Scanner Agent (agents/scanner-agent.md).
  • Boundary markers: Relies on procedural instructions to agents to maintain a "Two-layer purity" (G7) and separate operational logic from domain logic.
  • Capability inventory: High-privilege tools including Bash, Write, Edit, and the ability to dispatch multiple agents.
  • Sanitization: Mitigated by the mandatory Operator-approval gate (references/procedures/critical-gates.md) and post-migration review by the Critic Agent.
  • [SAFE]: The repository includes local automation scripts (scripts/manifest-sync.ts, scripts/bootstrap-experience.ts) that implement defensive measures, such as verifying that directories and files are not symbolic links, to prevent file system traversal attacks.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 02:42 PM
Security Audit — agent-trust-hub — extract-service