work
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it is designed to ingest and process content from the local codebase to generate technical plans and specifications.
- Ingestion points: Codebase patterns and file contents are researched using an 'Explore agent' as described in
commands/plan.mdandcommands/spec.md. - Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands when interpolating discovered codebase content into the prompt context.
- Capability inventory: The skill is granted significant filesystem permissions (
Read,Write,Edit,Glob,Grep) and restricted shell execution (Bash(git:*)). - Sanitization: The instructions in
commands/audit.mdandcommands/spec.mdexplicitly mandate the sanitization of user-provided topics by stripping path separators and traversal patterns like../to prevent directory traversal attacks. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to perform system operations, but security is improved by restricting the tool's scope to Git-related commands (git:*), which prevents the execution of arbitrary shell commands.
Audit Metadata