follow-my-lead
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute shell commands for git operations (e.g.,
git diff,git log) and project-specific tasks such as linting, type-checking, compiling, and running test suites. These commands are executed within the local environment to validate code changes. - [PROMPT_INJECTION]: The skill processes data from the local repository (diffs, staged changes, and surrounding source code) to infer the user's intent. Because this data comes from the workspace and is used to drive the agent's logic, it represents an indirect prompt injection surface where malicious content in the repository could potentially influence the agent's actions.
- Ingestion points: Reads git diffs, file contents, and directory structures (SKILL.md).
- Boundary markers: None; the agent is instructed to treat the diff as the 'strongest clue about direction' without explicit isolation from potential malicious instructions embedded in comments or code.
- Capability inventory: Executes shell commands (git, tests, build tools) and modifies files locally.
- Sanitization: None; the skill relies on the LLM's interpretation of inferred intent.
- [DYNAMIC_EXECUTION]: The skill implements a workflow where it modifies source code and then executes validation steps like compilation or test suites on the resulting code, effectively running code it has generated or updated.
Audit Metadata