aif
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its instruction to read and obey project-specific rules in
.ai-factory/skill-context/aif/SKILL.md. It explicitly states that these rules act as "project-level overrides" and "win" over the skill's default instructions, allowing untrusted files in a repository to hijack agent behavior. - Ingestion points:
.ai-factory/skill-context/aif/SKILL.md,package.json, and other stack configuration files. - Boundary markers: Absent. The skill lacks delimiters or warnings to ignore instructions embedded in the project data it analyzes.
- Capability inventory: The agent can execute shell commands (
Bash), write files (Write), and fetch web content (WebFetch). - Sanitization: None. Data from files is interpolated directly into the agent's logic.
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs additional agent skills from an external registry (
skills.sh). While it mandates a security scan for these downloads, it still involves executing remote code. - [COMMAND_EXECUTION]: The skill utilizes powerful shell commands including
rm -rf *for cleaning,npxfor installing external packages, andpythonfor running security scripts. These are scoped to the project directory but represent a high level of privilege within that scope.
Audit Metadata