gathering-feature
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes several shell commands to manage the development lifecycle, including
pnpm installfor dependency management,gw ci --affected --fail-fast --diagnosefor continuous integration checks, anduv runto execute the localglimpsetool for visual verification. - [EXTERNAL_DOWNLOADS]: The skill performs external downloads via
pnpm install, which fetches packages from the Node.js registry to build the requested feature. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests a user-provided feature specification and passes it to multiple subagents with broad file-system and tool-execution permissions.
- Ingestion points: The feature specification is received in Phase 1 of
SKILL.mdand interpolated into subagent templates inreferences/conductor-dispatch.md. - Boundary markers: The templates use simple curly-brace interpolation (e.g.,
{feature_spec}) without explicit instructions to disregard potentially malicious commands embedded in the specification. - Capability inventory: Subagents (Elephant, Turtle, etc.) have the ability to modify project files, while the conductor agent executes shell commands (
pnpm,gw,uv). - Sanitization: No explicit input sanitization or verification logic is present to filter the user-provided specification before it is processed by the subagents.
Audit Metadata