rollback
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or unauthorized external communications were detected. The skill is limited to managing local state within the project's workspace.
- [PROMPT_INJECTION]: A surface for indirect prompt injection is present because the skill reads metadata (such as descriptions) from checkpoint files and reflects them in the agent's context. This is assessed as safe because the data source is local to the project repository and the skill enforces a mandatory user confirmation step via
AskUserQuestionbefore performing any restoration. - Ingestion points: Reads checkpoint metadata and state from
.bkit/checkpoints/and.bkit/state/pdca-status.json. - Boundary markers: No explicit delimiters or boundary markers are used for descriptions read from JSON metadata files.
- Capability inventory: Uses
Bash,Read,Write, andAskUserQuestiontools. - Sanitization: The instructions do not specify sanitization for metadata content before it is processed or displayed, but the confirmation requirement provides a critical human-in-the-loop control.
Audit Metadata