aif-improve
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and analyzes potentially untrusted content from the project codebase, implementation plans, and a dedicated 'skill-context' configuration file.
- Ingestion points: SKILL.md Step 1.1 reads plan files, Step 1.3 reads project-specific override rules and past patches, and Step 2 performs broad file discovery and reading (Glob, Grep, Read) across the project directory.
- Boundary markers: The skill does not define specific delimiters or boundary markers to separate instructional content from the data being processed.
- Capability inventory: The skill has the capability to modify the project through Write and Edit tools, and to manipulate the agent's task list via TaskUpdate and TaskCreate.
- Sanitization: There is no explicit sanitization or validation of the content read from files; notably, Step 1.3 instructs the agent that project-specific rules in 'skill-context' must take priority even if they conflict with the skill's core instructions.
- Remediation: This risk is effectively mitigated by the human-in-the-loop requirement in Step 4, which mandates that the agent present a report and obtain user approval via AskUserQuestion before performing any modifications.
Audit Metadata