audit
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted artifact and evidence files, creating a surface for indirect prompt injection. \n
- Ingestion points: Reads Markdown artifacts and evidence files from user-defined paths in Phase 1. \n
- Boundary markers: No specific delimiters or "ignore instructions" warnings are utilized when processing the content to prevent the agent from obeying embedded directives. \n
- Capability inventory: Includes shell command execution (git pull), filesystem write access in Phase 6, and the ability to call external tools such as /research or /explore. \n
- Sanitization: The agent is instructed to directly quote and interact with potentially malicious text without filtering or escaping. \n- [COMMAND_EXECUTION]: In Phase 1, the skill calls 'git pull' to update the local codebase. This represents the execution of a shell command that interacts with the filesystem and external processes. \n- [EXTERNAL_DOWNLOADS]: The 'git pull' command initiates a network request to a remote repository to fetch and merge the latest changes, which is a form of external data download. \n- [DATA_EXFILTRATION]: The skill accesses local filesystem paths including the user's home directory (~/.claude/oss-repos/) to verify claims against source code. While this is part of the audit process, it grants the agent read access to content on the host machine which could be exposed via the findings report.
Audit Metadata