ruledoctor
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill functions by reading instructions from external rule and configuration files, which presents a surface for indirect prompt injection.
- Ingestion points: Project rule files (e.g.,
CLAUDE.md,.cursorrules,.cursor/rules/*.md) and the.ruledoctor.jsonconfiguration file (SKILL.md). - Boundary markers: Absent; the skill does not instruct the agent to use delimiters or ignore potentially malicious instructions embedded within the ingested rule content.
- Capability inventory: The agent can read files and is instructed to conditionally refuse command executions (e.g.,
git push --force) based on rule content. - Sanitization: Absent; rule file content is not validated or escaped before being processed by the agent.
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to execute specific shell commands using a vendor-provided CLI tool.
- Evidence: The command
ruledoctor --cwd "<项目根>" --last-sessionis specified for reporting, andruledoctor setupis mentioned for installing command-interception hooks (SKILL.md).
Audit Metadata