fixflow
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill implements security best practices for automated coding tasks. In
references/delivery-base.md, it instructs the agent to record a 'dirty-worktree baseline' before starting and explicitly forbids including unrelated pre-existing files in commits. This is an effective guardrail against the accidental staging and exposure of sensitive local files, such as environment variables or private keys, during the execution of coding tasks. - [COMMAND_EXECUTION]: The skill is designed to execute project-specific commands for building and testing code as part of its 'Verification Loop'. This is an intended and necessary capability for its primary function. To mitigate risks associated with autonomous execution, the skill implements a failure loop control in
references/delivery-base.mdthat limits automated fix attempts to a maximum of three before stopping and reporting to the user. - [PROMPT_INJECTION]: The skill has an indirect prompt injection attack surface because it processes untrusted data from project files and user-defined requirements to generate implementation plans and BDD scenarios. However, this risk is inherent to all coding assistant tools and the skill does not contain instructions that attempt to bypass the agent's core safety filters.
- Ingestion points: The skill reads project source code, configuration files, and user-provided requirements (
SKILL.md,references/delivery-base.md). - Boundary markers: The current workflow templates do not specify the use of delimiters for external content.
- Capability inventory: The skill has the capability to execute shell commands, write to the filesystem, and perform Git operations (
references/delivery-base.md). - Sanitization: No specific sanitization or filtering logic is defined for the content processed from external sources.
Audit Metadata