Skills
skills/shopify/flash-list/analyze-feedback/Gen Agent Trust Hub

analyze-feedback

Pass

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest data from external GitHub workflow artifacts and use that content to update its own instruction files and other skills. This creates a risk where malicious feedback could influence future agent behavior.
  • Ingestion points: GitHub artifacts downloaded via gh run download (SKILL.md Step 3).
  • Boundary markers: The instructions tell the agent to rephrase insights in its own words and strip shell commands, which acts as a manual boundary (SKILL.md Step 3, Step 5).
  • Capability inventory: The agent has file system write access to .claude/ skill files and CLAUDE.md, and uses the gh CLI (SKILL.md Step 2, Step 3, Step 5).
  • Sanitization: The skill mandates rephrasing into concise, factual statements rather than verbatim copying (SKILL.md Step 3).
  • [COMMAND_EXECUTION]: The skill uses the GitHub CLI (gh) to list workflow runs and download artifacts. While these are standard development operations, they represent the execution of external CLI tools (SKILL.md Step 2, Step 3).
  • [EXTERNAL_DOWNLOADS]: Fetches artifact data from GitHub's servers. The instructions restrict these downloads to the Shopify/flash-list repository, which aligns with the skill author's context (SKILL.md Step 3).
  • [PROMPT_INJECTION]: Self-Modifying Instructions. The 'Self-Evolving Instructions' section directs the agent to update the skill's own source code (SKILL.md) based on external feedback, which could be exploited to permanently alter the agent's operating logic.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 13, 2026, 02:35 AM