context-bundling
Pass
Audited by Gen Agent Trust Hub on May 24, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Path Traversal and Sensitive Data Exposure. The file resolution logic in
scripts/bundle.py(line 52) andscripts/manifest_manager.py(line 122) allows for path traversal by joining user-supplied paths with the project root without validation. Furthermore, while the script attempts to filter sensitive files like.envduring directory recursion, it fails to apply these filters when files are explicitly listed in the manifest, allowing a user to deliberately include sensitive files.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill aggregates external content into bundles intended for agent consumption without sanitization.\n - Ingestion points: Files read from the filesystem via
scripts/bundle.pybased on entries in the user-controlled manifest JSON.\n - Boundary markers: The output uses Markdown headers and fenced code blocks (3 or 4 backticks). These provide weak separation that can be bypassed by malicious content containing similar markers.\n
- Capability inventory: Performs file system reads and consolidated file writes to a Markdown bundle.\n
- Sanitization: None; the script reads raw file contents and writes them directly to the output bundle without escaping or validation.\n- [PROMPT_INJECTION]: Instruction Chaining Risk. The
SKILL.mdfile (line 86) encourages including 'specialized prompt files' to guide receiving LLMs. This creates a multi-step instruction chain where a compromise in the bundled files can lead to the hijacking of the downstream agent's behavior.
Audit Metadata