spec-workflow-init
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various shell commands to perform project environment discovery.\n
- Evidence: SKILL.md contains commands such as
git rev-parse,ls -la,find, andcat package.jsonused to identify package managers, CI/CD services, and existing project configurations.\n- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting untrusted project metadata into its generated instructions.\n - Ingestion points: In SKILL.md, the tool reads contents from local project manifest files like
package.json,go.mod, andpyproject.toml.\n - Boundary markers: Absent. There are no delimiters or specific instructions provided to the agent to treat the interpolated data as untrusted or to ignore embedded commands.\n
- Capability inventory: The skill has permissions to write files (
Write), create directories (mkdir), and modify project convention files (EditforAGENTS.mdorCLAUDE.md).\n - Sanitization: Absent. Data extracted from the project environment is directly inserted into template placeholders without validation or escaping.\n- [SAFE]: The skill performs dynamic generation of documentation and configuration files from predefined local templates.\n
- Evidence: SKILL.md describes reading templates from the
references/directory and replacing placeholders with user-provided or environment-detected values to create files such asissue-to-pr-workflow.mdand agent definitions in.claude/agents/or.codex/agents/.
Audit Metadata