context-state-tracker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by processing untrusted data that is then used to influence the agent's context and decision-making.
- Ingestion points: The skill reads from
feature_list.json,claude-progress.txt, and the output ofgit log(viascripts/git_state.py). - Boundary markers: The documentation does not specify any delimiters or instructions to ignore embedded commands within the ingested data, making it likely that the agent will follow instructions found in commit messages or feature descriptions.
- Capability inventory: The skill can write to the filesystem (
save_progress,update_status) and interact with the Git binary, providing the necessary primitives for an injection to have side effects. - Sanitization: No sanitization, escaping, or validation of external content is mentioned before it is interpolated into the agent's session state.
- Command Execution (MEDIUM): The integration with Git (
scripts/git_state.py) implies the execution of system commands. While inherent to the skill's purpose, this represents a risk if the agent constructs Git commands using unsanitized strings from the project state.
Recommendations
- AI detected serious security threats
Audit Metadata