Skills
skills/utarn/engineer-skills/find-mismatch/Gen Agent Trust Hub

find-mismatch

Pass

Audited by Gen Agent Trust Hub on Jun 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and install the fallow package globally using npm install -g fallow. While the npm registry is a well-known service, the installation is unversioned, which is a departure from security best practices for pinned dependencies.
  • [COMMAND_EXECUTION]: The agent is directed to execute several shell commands, including npm install for dependency management, fallow audit for code analysis, and git diff to identify modified files.
  • [PROMPT_INJECTION]: The skill processes untrusted external data in the form of project source code and git diffs. This creates a surface for indirect prompt injection where a malicious file could contain instructions designed to bypass review logic or manipulate the agent's output.
  • Ingestion points: Project source files and output from git diff --staged --name-only.
  • Boundary markers: None identified; there are no instructions for the agent to ignore or delimit embedded natural language prompts within the code being analyzed.
  • Capability inventory: The skill has the ability to run shell commands (npm, fallow, git) and modify project files during its auto-fix phase.
  • Sanitization: There is no evidence of content sanitization or validation before the code is processed or displayed.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 20, 2026, 12:12 AM
Security Audit — agent-trust-hub — find-mismatch