spec
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the amq CLI tool for inter-agent communication. The command templates provided (e.g., amq send ... --body "") use double quotes for variable interpolation. This configuration creates a potential for shell command substitution if the content of , , or contains characters like backticks or $(...), which could lead to arbitrary command execution in the shell environment.\n- [DATA_EXFILTRATION]: The workflow is designed to transmit user input and research findings to a partner agent. This results in the sharing of potentially sensitive data, including parts of the codebase explored during the research phase, with another entity.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to ingest and process messages from a partner agent without sanitization or boundary markers.\n
- Ingestion points: Incoming messages from amq watch, amq drain, and amq thread in SKILL.md and references/spec-workflow.md.\n
- Boundary markers: None identified; messages are consumed as direct input for discussion and planning.\n
- Capability inventory: Access to amq send and local file system research.\n
- Sanitization: No validation or filtering of partner-provided text is implemented.
Audit Metadata