full-review
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill utilizes directive language such as "MOST IMPORTANT. NEVER SKIP." and "PRIORITY:highest" to override the agent's standard instruction prioritization and ensure the skill's workflow is always executed.
- [COMMAND_EXECUTION]: The skill includes instructions to execute Git operations via shell commands, specifically for committing changes with human-readable messages.
- [INDIRECT_PROMPT_INJECTION]: The skill's primary function involves reading the "entire codebase" and "every file," which exposes the agent to untrusted data that could contain malicious instructions.
- Ingestion points:
[READ:entire-codebase]and[CHECK:every-file]inSKILL.mdtriggers the reading of all files in the current environment. - Boundary markers: Absent; the skill does not define delimiters or provide instructions to treat the codebase content as untrusted data.
- Capability inventory: The agent is instructed to perform Git commits and write to a local persistence file (
.autocode/memory.md). - Sanitization: Absent; there is no mention of filtering or escaping content ingested from the codebase before processing or "learning" from it.
- [DATA_EXPOSURE]: The "learn" step (
[STEP4:learn]) explicitly instructs the agent to record user preferences, communication styles, and mistakes. While this data is stored in a local file (.autocode/memory.md), it constitutes behavioral profiling of the user.
Audit Metadata