runtime-hal
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection due to the ingestion of untrusted data from the local filesystem.
- Ingestion points: Files like state/hooks/{agentId}.json and .claude/settings.json are read to determine behavior (SKILL.md, providers/claude-code.md).
- Boundary markers: The documentation does not specify the use of delimiters or warnings to ignore instructions embedded within the state files.
- Capability inventory: The skill facilitates the generation and execution of startup commands and GUPP constraints based on the ingested data.
- Sanitization: There is no mention of sanitizing or validating the contents of the state files before they are used to construct commands or prompts.
- [COMMAND_EXECUTION]: The skill describes routines for executing system-level commands and performing environment probes.
- Evidence: providers/claude-code.md details the use of cat within session hooks to inject context.
- Evidence: providers/codex.md specifies the use of the gt prime CLI tool for startup injection.
- Evidence: SKILL.md describes a detection cascade that includes scanning the system's process tree to identify active runtime binaries.
Audit Metadata