question
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection, as it ingests data from external sources and local files that could contain malicious instructions designed to manipulate the agent.\n
- Ingestion points: Untrusted content enters the agent's context through the
Readtool (local files) andWebFetch(external URLs found viaWebSearch).\n - Boundary markers: There are no explicit delimiters or guidelines provided to the agent to distinguish between its instructions and the data it retrieves.\n
- Capability inventory: The skill can read local files and access the internet, but the
allowed-toolsconfiguration does not grant it the ability to write files or execute arbitrary shell commands.\n - Sanitization: Content from files and the web is processed without sanitization, validation, or filtering.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool for the specific purpose of running
git ls-filesto identify project structure. This is a limited and standard operation for this type of skill.\n- [EXTERNAL_DOWNLOADS]: The skill usesWebSearchandWebFetchto retrieve information from the internet. While used for research and documentation, this mechanism allows for the ingestion of potentially untrusted data into the session.
Audit Metadata