verify-gate
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automatically identifies and runs shell commands found in project metadata files like package.json, Makefile, and Cargo.toml. This behavior allows for arbitrary command execution if these configuration files are maliciously crafted or modified.
- [REMOTE_CODE_EXECUTION]: The mcp-scripts feature enables the execution of arbitrary shell or JavaScript code defined in configuration files such as .github/workflows/verify-gate-ci.md or .verify-gate.yml. This provides a direct path for executing code from potentially untrusted project data.
- [PROMPT_INJECTION]: The skill reads project documentation files like CLAUDE.md and AGENTS.md to find verification commands, making it susceptible to indirect prompt injection where an attacker could hide malicious instructions in these files. 1. Ingestion points: Project configuration and documentation files including package.json, Cargo.toml, CLAUDE.md, and .verify-gate.yml are read for instructions. 2. Boundary markers: No delimiters or safety instructions are used to prevent the agent from obeying instructions embedded within the ingested data files. 3. Capability inventory: The agent has the permission to execute shell commands, run custom scripts, and modify source files through its automated 'Fix Loop'. 4. Sanitization: No validation logic is defined to check the safety of discovered commands before they are executed in the shell environment.
Audit Metadata