parallel-task-spark
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it parses external markdown files and uses the extracted text to build prompts for subagents. Maliciously crafted tasks or criteria within a plan file could influence subagent behavior.
- Ingestion points: Step 2 in SKILL.md reads user-provided markdown plan files (e.g., plan.md, auth-plan.md).
- Boundary markers: None present; content from the plan is interpolated directly into the subagent prompt template.
- Capability inventory: Subagents have the ability to read/edit files and perform git commits.
- Sanitization: There is no evidence of sanitization or filtering of the content extracted from the plan files.
- [COMMAND_EXECUTION]: The orchestrator launches subagents that are instructed to modify the file system and perform Git commits based on the logic parsed from external plan files. This capability could be abused if the plan file contains malicious instructions.
- [DATA_EXFILTRATION]: The subagent instructions include reading files and updating the plan file with concise work logs. This creates a pathway for data exposure if a task within the plan file directs the agent to read sensitive files and include their content in the public-facing logs.
Audit Metadata