hard-cheese
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design. It captures free-text input from a user (an 'explanation' of code logic) and passes it verbatim to a judge sub-agent for evaluation.
- Ingestion points: User-provided free-text captured in step 4 of the
SKILL.mdflow. - Boundary markers: The skill uses fenced blocks to delimit the user's explanation when presenting it to the judge sub-agent, as specified in
references/judge-prompt.md. - Capability inventory: The user's input influences the outcome of the
passfield in the sub-agent's JSON response, which determines whether the gate allows the workflow to proceed. - Sanitization: The skill explicitly avoids paraphrasing or sanitizing the user's input ('Do not paraphrase... verbatim') to ensure the judge evaluates the author's original words.
- [COMMAND_EXECUTION]: The skill utilizes standard development tools for local repository inspection. These include
git difffor change detection anddeltafor diff rendering. These operations are restricted to the local working environment and the repository context. - [DYNAMIC_EXECUTION]: The skill employs a 'fresh context' sub-agent pattern to perform grading. The sub-agent's output is expected to be a structured JSON object. The skill includes a 'fail-open' policy (documented as a 'divergence from the paper') where the gate allows the user to proceed if the sub-agent returns malformed output or fails to execute.
Audit Metadata