polecat-worker
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to autonomously execute instructions contained within 'beads' (work items). \n
- Ingestion points: The agent retrieves work items via
state.getHook(myAgentId)inSKILL.md, specifically accessingworkItem.beadId,workItem.title, and the work item description which provides the execution context. \n - Boundary markers: There are no explicit boundary markers or instructions provided to the agent to disregard potentially malicious commands embedded within the task descriptions. \n
- Capability inventory: The skill possesses capabilities for file system access via a
StateManager(reading and writing in.chipset/state/) and execution of git commands (git checkout,git commit,git push) as seen inSKILL.mdandreferences/examples.md. \n - Sanitization: No evidence of input validation or sanitization is present for the data retrieved from the work items before it is used in logic or command execution.
Audit Metadata