para-custodian
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill's architecture presents a surface for indirect prompt injection (Category 8).
- Ingestion points: The Repo Survey Agent (
references/agents/repo-survey.md) and Atomic Distillation Agent (references/agents/atomic-distillation.md) read filesystem metadata, git history, and the actual content of recently changed files from the repository. - Boundary markers: The instructions lack explicit boundary markers or delimiters to isolate untrusted repository data from the agent's logic. There are no directives for the agent to ignore potentially malicious instructions embedded within the processed files.
- Capability inventory: The skill is authorized to create and move files, as well as perform automated git commit and push operations as described in
SKILL.md. - Sanitization: No sanitization, escaping, or validation of the ingested repository content is performed before the data is processed by the sub-agents.
- [COMMAND_EXECUTION]: The skill performs automated repository operations via shell commands.
- Evidence: The
SKILL.mdfile instructs the agent to "commit and push immediately with a step-scoped commit message" following file modifications, which involves executing git commands in the shell environment.
Audit Metadata