tech-writer
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because its primary workflow involves ingesting untrusted external data.
- Ingestion points: In
SKILL.md, the 'Process' section (Step 1) and 'Transcribe' mode require the agent to read 'source' materials including external code, CLI help, API surfaces, tickets, and diffs. - Boundary markers: The instructions do not define clear delimiters or provide 'ignore embedded instructions' warnings for the ingested source material.
- Capability inventory: While the skill itself defines no scripts, it explicitly instructs the agent to verify command execution. If the agent has shell or terminal capabilities, it may attempt to execute commands found in the source data.
- Sanitization: No sanitization or validation of the external content is prescribed.
- [COMMAND_EXECUTION]: In the 'Self-check' section of
SKILL.md, the skill instructs the agent to 'Confirm every command runs' and 'Confirm every link resolves'. This behavior encourages the agent to execute code snippets or perform network requests based on potentially attacker-controlled source material (e.g., a malicious PR or bug report).
Audit Metadata