codebase-advisor
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill incorporates explicit defensive instructions to protect against prompt injection attacks. It instructs the agent to treat all content read from the audited repository as data rather than instructions, specifically mentioning phrases like "ignore previous instructions" as content to be ignored and reported as a security finding. These patterns were identified as suspicious but are used as protective context.
- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because its primary function is processing untrusted codebase data.
- Ingestion points: Source code, READMEs, and configuration files are read from the repository during Phase 1 (Recon) and Phase 2 (Audit) using the Read, Grep, and Glob tools.
- Boundary markers: The agent is explicitly instructed via "Hard Rule 6" to treat read content as data. Additionally, executor subagents are provided with a preamble that warns them to ignore embedded instructions.
- Capability inventory: The skill has the capability to write and edit implementation plans on the local filesystem, create GitHub issues via the
ghtool, and dispatch executor subagents in isolated worktrees. - Sanitization: Findings are vetted in Phase 3 before being presented to the user, and "Hard Rule 4" prevents the agent from reproducing discovered credentials or secret values in its output.
- [COMMAND_EXECUTION]: The skill utilizes several Bash-based tools for repository reconnaissance and diagnostics (e.g., git log, npm audit, pip-audit, find, rg). These commands are restricted to specific read-only or analysis-focused operations. The skill includes strict "Hard Rules" that forbid running commands that mutate the user's working tree, such as commits or builds that write artifacts to non-standard directories.
Audit Metadata