refactor-prototype
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run commands found within the refactor plan JSON file. Step 4 of the instructions explicitly requires the agent to "run it and fix any issues until the checks pass" for each command listed.
- [COMMAND_EXECUTION]: The instructions reduce user oversight by directing the agent to "perform the full refactor autonomously" and "not stop mid-way to ask the user what to do next or whether to continue."
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting and acting upon instructions from external artifacts without sanitization or protective boundaries.
- Ingestion points: .agents/flow/it_{iteration}_audit.json and .agents/state.json.
- Boundary markers: Absent. The skill does not include instructions to treat the external JSON content as data rather than instructions.
- Capability inventory: The agent is empowered to execute shell commands and write files to the project directory.
- Sanitization: Absent. No validation is performed on the commands or content loaded from the audit artifacts.
Audit Metadata