fossil
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core functionality of ingesting and analyzing untrusted data from multiple external sources.
- Ingestion points: The skill reads and processes source code, inline comments, test cases, database schemas, git commit history (as seen in
SKILL.mdandreferences/patterns.md), and on-call chat logs (as seen inreferences/runbook-codification.md). - Boundary markers: While the skill utilizes a structured workflow (
SCOPE -> DIG -> CROSS-REF -> CATALOG -> ASSESS) and assigns confidence scores to its findings, it does not explicitly instruct the agent to use XML delimiters or other isolation techniques to prevent instructions embedded in comments or logs from being interpreted as commands. - Capability inventory: The skill executes shell commands (
git log) and transmits its findings to other agents likeShift(migration planning),Scribe(specification), andBuilder(reimplementation), which may take further automated actions based on potentially poisoned rule catalogs. - Sanitization: There are no instructions for sanitizing or escaping the content extracted from code or history layers before it is incorporated into the rule catalogs or agent handoffs.
Audit Metadata