money-restore

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill possesses an ingestion surface for indirect prompt injection as it reads and parses content from local session files.
  • Ingestion points: Markdown and YAML snapshot files located in ~/.smtm/sessions/{project}/.
  • Boundary markers: Absent; the instructions do not define specific delimiters to isolate potentially untrusted content from the files.
  • Capability inventory: The skill relies on file-reading capabilities to retrieve state. It explicitly prohibits the autonomous execution of subsequent skills (Step 5), which limits the impact of potential injections.
  • Sanitization: Absent; the instructions direct the agent to parse and present the content of the snapshot files verbatim.
  • [SAFE]: No malicious prompt injection markers or attempts to bypass safety filters were found in the instructions.
  • [SAFE]: The skill does not perform any network operations or external data exfiltration. All data operations are restricted to a local application-specific directory.
  • [SAFE]: No credential harvesting or access to sensitive system paths (e.g., .ssh, .aws, .env) was detected.
  • [SAFE]: No remote code execution or dynamic code generation patterns are present.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 03:34 PM
Security Audit — agent-trust-hub — money-restore