batch-editor
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses standard CLI tools including
git statusandgrepto manage file state and search for content within the user's project directory. These commands are used legitimately for the stated purpose of identifying target files and ensuring a clean working environment before and after modifications.\n- [PROMPT_INJECTION]: The skill processes untrusted markdown files, representing a surface for indirect prompt injection. The risk is mitigated by the architectural requirement for human review.\n - Ingestion points: Ingests content from
content/posts/*.mdduring scanning and preview phases as described inSKILL.md.\n - Boundary markers: Identifies YAML frontmatter delimited by
---but lacks explicit delimiters for the main body content.\n - Capability inventory: Possesses
Bash,Write,Edit, andTasktools, allowing for file modification and command execution across all scripts.\n - Sanitization: No automated content sanitization is performed on the files being read; however, the mandatory 'Preview-Confirm-Apply' workflow provides a human-in-the-loop safety gate that prevents the agent from autonomously following instructions embedded in posts.
Audit Metadata