impl-plan
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it explicitly instructs the agent to ingest and analyze data from external sources such as Notion, Figma, GitHub, and Jira, as well as existing project codebases.
- Ingestion points: Requirements gathering involves reading external URLs and investigating local source code.
- Boundary markers: There are no explicit instructions to use delimiters or ignore instructions within the ingested external data.
- Capability inventory: The skill manages local files in the .tasks/ directory and facilitates the modification of agent instruction files (AGENTS.md or CLAUDE.md). It also provides patterns for executing shell commands such as yq or test runners.
- Sanitization: The skill does not specify any sanitization, validation, or filtering of the content retrieved from external sources.
- [PROMPT_INJECTION]: The updateAgentDocs feature, specifically when set to auto, allows the agent to modify its own instruction files based on 'learnings' derived from potentially untrusted inputs. While the skill recommends a safer suggest mode, the possibility of automated instruction modification poses a risk of persistent manipulation if the input data is poisoned.
Audit Metadata