iblai-vibe-security-prompt-injection

Pass

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill contains strings like 'Ignore previous instructions' and 'Repeat your instructions verbatim.' These are documented as 'common extraction attempts' for the purpose of auditing target applications and do not represent attempts to subvert the agent's own safety guidelines.
  • [DATA_EXPOSURE]: The skill instructs the agent to search for API keys and credentials in target codebases (e.g., 'openai', 'anthropic', 'API_KEY'). These are legitimate auditing actions and the skill does not contain any logic to exfiltrate this data or hardcode its own secrets.
  • [COMMAND_EXECUTION]: The skill utilizes standard command-line tools like Grep and Bash to map the attack surface of an application. These tools are scoped to the primary purpose of code analysis and auditing.
  • [INDIRECT_PROMPT_INJECTION]: As a security auditing tool, the skill naturally ingests untrusted data (application source code) and possesses capabilities like Bash and Write. While this creates a theoretical surface for indirect injection (where a malicious file being audited tricks the auditor), the skill's instructions are focused on defensive analysis, and the risk is considered low and inherent to the tool's function.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 7, 2026, 01:01 PM
Security Audit — agent-trust-hub — iblai-vibe-security-prompt-injection