Skills
skills/sd0xdev/sd0x-dev-flow/necessity-audit/Gen Agent Trust Hub

necessity-audit

Pass

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill orchestrates its workflow by executing several local Node.js scripts (preflight.js, debate-topic.js, consolidate.js, report.js, and redact.js) via the Bash tool. These scripts process intermediate JSON/text data stored in temporary directories to manage the audit lifecycle. These are local vendor resources associated with the skill's functionality.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from the repository files being audited.
  • Ingestion points: The Read tool is used in Phase A and Phase B to ingest content from the target file specified by the <path> argument.
  • Boundary markers: Analysis of references/phase-a-classify.md and references/phase-b-debate-topic.md indicates that the prompt templates do not specify the use of XML tags, delimiters, or explicit instructions to ignore embedded commands within the audited text.
  • Capability inventory: The agent has access to Bash (executing Node.js scripts and git commands), Write tool, and mcp__codex__codex for secondary LLM reasoning.
  • Sanitization: There is no evidence of sanitization or escaping of the ingested document content before it is interpolated into the LLM prompts for classification or debate.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 28, 2026, 02:18 AM
Security Audit — agent-trust-hub — necessity-audit