inquisitor
Warn
Audited by Gen Agent Trust Hub on May 23, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's core workflow involves subagents that write and execute arbitrary test scripts on the host system to verify feature implementation. Additionally, a 'Fixer' cycle allows the agent to modify production source code and re-run tests. Executing dynamically generated code or automatically applying code changes introduces significant risks if the generation process is influenced by malicious input or encounters unexpected behavior.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from 'git diff' outputs and interpolates this content directly into instructions for subagents that possess powerful file-system and execution capabilities. Malicious code comments or strings within a feature diff could potentially override agent instructions.
- Ingestion points: The full feature diff computed via
git diffis interpolated into theinquisitor-prompt.mdtemplate used for subagent dispatch. - Boundary markers: The prompt template lacks explicit delimiters or instructions to treat the diff content as untrusted data or to ignore embedded instructions.
- Capability inventory: The agent can write files (tests and production code fixes), execute shell commands (git and test runners), and utilize external model reviews.
- Sanitization: No sanitization or validation of the diff content is performed before processing.
- [COMMAND_EXECUTION]: The skill relies on shell command execution to determine the state of the repository, specifically using
git diffandgit merge-baseto calculate the analysis scope. It also likely executes a test runner to process the generated adversarial tests.
Audit Metadata