recap-doc
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted repository content, such as source code and technical specifications, and interpolates it into LLM synthesis prompts.
- Ingestion points: Repository files and git diffs are read in Phase 2 and Stage 3 of the workflow as defined in references/source-guide.md.
- Boundary markers: The synthesis prompt in references/prompt-template.md uses standard markdown headers but lacks strict delimiters (like XML tags or random tokens) to isolate untrusted data from system instructions.
- Capability inventory: The skill has access to sensitive tools including Write and Bash, which could be misused if the model follows instructions embedded in the project files.
- Sanitization: While the skill includes a script to redact secrets from the output, it does not sanitize or escape the input file content to prevent instruction injection.
- [PROMPT_INJECTION]: The --focus CLI argument accepts arbitrary user input that is directly interpolated into the synthesis prompt (references/prompt-template.md), creating a direct prompt injection vector.
- [DATA_EXFILTRATION]: The skill implements a path security mechanism that validates output targets using fs.realpathSync, ensuring that reports are only written within the repository root or the system's temporary directory.
- [CREDENTIALS_UNSAFE]: The skill workflow includes a mandatory secret redaction phase (Phase 5a) using a specialized script to mask high-confidence credentials before any output is saved.
Audit Metadata