skills/kashyab12/uni-pstack/recall/Gen Agent Trust Hub

recall

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains instructions that explicitly override default agent behavior and model choices. It directs the agent to 'Replace upstream Composer, Claude Opus, and other panel defaults with Codex gpt-5.6-sol' and to ignore Cursor-specific tool defaults in favor of host-native tools.
  • [COMMAND_EXECUTION]: The instructions require the agent to execute shell commands and launch sub-processes. This includes launching 'Codex CLI workers' using the 'spawn-codex-worker' script or performing 'direct codex exec'.
  • [INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because its core function is to read and process untrusted data from multiple external sources.
  • Ingestion points: The skill reads from 'source control, the issue tracker, chat and issue channels, long-form docs, and error tracking' (SKILL.md).
  • Boundary markers: There are no explicit delimiters or 'ignore embedded instructions' warnings provided in the instructions for the data being fetched.
  • Capability inventory: The agent is authorized to spawn parallel subagents, read local and remote transcripts, and use tools like git and gh to verify state.
  • Sanitization: While the skill mentions sanitizing private context before public output, it lacks measures to sanitize or escape input data to prevent the agent from following instructions embedded in the logs or tickets it analyzes.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 04:46 PM