explain-like
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): High risk of indirect prompt injection due to the processing of untrusted external content. * Ingestion points: The skill reads pull request bodies (via 'gh pr view'), code diffs, and design documents. * Boundary markers: No delimiters or specific instructions to ignore embedded commands are used when interpolating untrusted data into the agent context. * Capability inventory: The skill has the ability to read the file system and run git commands, and it specifically requests to write files. * Sanitization: No input validation or sanitization of external content is present.
- COMMAND_EXECUTION (LOW): Instruction and permission mismatch. The skill documentation directs the agent to use 'gh' (GitHub CLI) and to write files to the 'specs/' directory, but these capabilities are not authorized in the 'allowedTools' metadata (restricted to Bash git commands and basic read/search tools).
Audit Metadata