flywheel-scan
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from project repositories. Sub-agents (Scouts) read project files such as
README.md,CLAUDE.md, and plan documents, passing this content to a 'Doppelganger' agent for analysis. Malicious content in these repositories could be used to manipulate the agent's scoring, prioritization, or suggested resolutions.\n - Ingestion points:
scout-protocol.mdandscout.mddefine steps where documentation and metadata are read from scanned repositories.\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the sub-agent prompts.\n
- Capability inventory: The skill is capable of executing shell commands and managing multiple sub-agents.\n
- Sanitization: Content extracted from repositories is not sanitized before being used in agent prompts or written to output files.\n- [PROMPT_INJECTION]: The
generate_replay.pyscript presents a risk of Cross-Site Scripting (XSS) in the generated reports. It creates an HTML file by embedding result data into a script tag using simple string replacement. If a scanned repository contains malicious content (such as commit messages containing</script>), this could allow the execution of arbitrary JavaScript when the user views the generated report in a browser.\n- [COMMAND_EXECUTION]: The skill executes multiple local shell commands and Python scripts as part of its operation. This includesmkdirfor managing output directories,git logfor tracking project activity, thebd(beads) CLI tool, and custom reporting scripts. While these are part of the intended functionality, they interact with project data and paths provided during execution.
Audit Metadata