update-docs
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
git diffcommands to identify changed Python files and extract API signature differences. These are standard operations for a development-focused skill and are limited to the local repository context. - [PROMPT_INJECTION]: The skill instructs a spawned subagent to read its full instructions from a file within the repository (
.claude/agents/docs-updater.md). This establishes an indirect prompt injection surface where instructions embedded in repository data could manipulate the subagent's behavior. - Ingestion points: The file
.claude/agents/docs-updater.mdis explicitly loaded into the subagent's context as a source of instructions. - Boundary markers: The prompt provided to the subagent does not use delimiters or explicit "ignore embedded instructions" warnings for the file content.
- Capability inventory: The subagent is a general-purpose agent tasked with searching and modifying files across the entire repository, granting it significant filesystem access.
- Sanitization: There is no evidence of sanitization or validation of the content of the instructions file before it is processed by the agent.
Audit Metadata