co-design
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to launch background processes running the
claude -pcommand. The prompt for these tasks is dynamically generated by reading and parsing external markdown 'plan' files. The assembly of shell commands using external, potentially untrusted input is a medium-risk pattern for unintended command execution. - [PROMPT_INJECTION]: The orchestrator logic is vulnerable to indirect prompt injection. It ingests data from external markdown files and interpolates it directly into prompts for subagents without sanitization or protective boundary markers.
- Ingestion points: Markdown files provided by the user (e.g.,
plan.md,landing-page-plan.md) via the/co-designcommand. - Boundary markers: Absent; the skill lacks delimiters or explicit instructions to subagents to ignore potential instructions embedded in the task data.
- Capability inventory: Subagents launched via this skill are granted powerful capabilities, including
Bash,Write,WebFetch, andWebSearchtools, increasing the potential impact of an injection attack. - Sanitization: There is no evidence of filtering or escaping logic applied to the content extracted from the plan files before it is passed to the subagent or the shell.
Audit Metadata