parallel-task-spark
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via user-provided markdown plan files. Malicious instructions embedded in the 'Description', 'Acceptance Criteria', or 'Validation' sections of a plan file can manipulate the behavior of the subagents.
- Ingestion points: The skill reads external markdown files (e.g.,
plan.md,auth-plan.md) in Step 2 to define task logic. - Boundary markers: The subagent prompt template lacks delimiters (like XML tags or clear separators) to isolate untrusted content from the plan, directly interpolating text into fields like
Description: [Full description]. - Sanitization: There is no evidence of sanitization or validation of the content extracted from the plan files before it is passed to the subagents.
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary shell commands defined within the plan files.
- Capability inventory: In Step 3, the subagent instructions require running 'exact commands' or 'concrete validation steps' defined in the plan file. This allows a malicious plan to execute harmful commands on the local system.
- Mitigation note: The skill includes a safety instruction for subagents to 'NEVER PUSH. ONLY COMMIT', which reduces the risk of automated code exfiltration via git repositories.
Audit Metadata