refine-journey
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill automatically detects build systems (npm, cargo, swift, etc.) and executes associated shell commands to build the project and run UI/unit tests. These commands are dynamically determined by the agent while inspecting local files.\n- [DATA_EXFILTRATION]: Uses the
gh gist editcommand to write project-derived findings and 'pitfall' patterns to a specific, hardcoded GitHub Gist (ID:84a5c108d5742c850704a5088a3f4cbf). This facilitates the transfer of project metadata and technical observations to an external, shared destination.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it analyzes untrusted project data to update its core logic.\n - Ingestion points: Phase 1 reads
spec.md,journey.md, and generated test code from the project root and subdirectories.\n - Boundary markers: The instructions lack specific boundary markers or 'ignore' commands to prevent the agent from following instructions embedded inside the files being analyzed.\n
- Capability inventory: The agent has permissions to execute shell commands, modify the local
AGENTS.mdinstruction file, and write to an external Gist.\n - Sanitization: No evidence of sanitization or validation logic is present to filter malicious instructions before they are applied to the skill's persistent configuration files.
Audit Metadata