morph-search
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local Python script located at scripts/mcp/morph_search.py using the 'uv run' command. This script provides the core functionality for searching and editing files within the codebase.
- [PROMPT_INJECTION]: The skill reads and processes content from the codebase, which introduces a surface for indirect prompt injection if the agent processes malicious instructions found within those files. 1. Ingestion points: Codebase content processed via the search functionality (SKILL.md). 2. Boundary markers: Absent; no instructions or delimiters are provided to ensure the agent ignores embedded content. 3. Capability inventory: Executes local scripts and performs file edits via the --edit parameter (SKILL.md). 4. Sanitization: Absent; no evidence of content sanitization or validation of searched data before processing.
Audit Metadata