build-fix
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it reads and processes untrusted project files and build logs to determine its next actions.
- Ingestion points: The agent collects data from the project's source code and terminal output (build/type-check errors) as specified in the 'Collect Errors' section and the 'build-fixer' delegation prompt.
- Boundary markers: The instructions lack explicit delimiters or markers to help the agent distinguish between its own system instructions and the potentially adversarial content within the code or error logs it is fixing.
- Capability inventory: The skill utilizes powerful tools, including file system write access ('Fix Strategically') and shell execution ('Run tsc/build').
- Sanitization: There is no mention of sanitizing or validating the ingested content before it is processed or used to generate shell commands.
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use a 'raw shell' for tasks such as 'dependency installation' and 'low-level debugging'. While functional, this provides a high-privilege execution environment. The risk is compounded by instructions in the 'GPT-5.4 Guidance Alignment' section that encourage the agent to 'continue through... next steps automatically', which could lead to the automated execution of malicious commands if the agent is compromised via indirect prompt injection.
Audit Metadata