executing-subtask
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection surface (Category 8). The skill processes task plans (
docs/<TICKET_KEY>-tasks.md) and ticket snapshots that are generated from external Jira ticket content. If an attacker controls the Jira ticket description, they could inject malicious instructions that are then passed into the subagent's execution brief. - Ingestion points:
docs/<TICKET_KEY>-tasks.md,docs/<TICKET_KEY>.md. - Boundary markers: The skill uses Markdown headers (e.g.,
## Task <N>) to structure data but does not implement explicit delimiters or instructions for the agent to ignore embedded commands within the ingested text. - Capability inventory: The skill and its subagent have the ability to write files, modify codebase content, and execute shell commands (via test running).
- Sanitization: There is no evidence of sanitization, filtering, or validation of the content extracted from the task plan before it is used to generate the execution brief for the subagent.
- [COMMAND_EXECUTION]: The
task-executorsubagent is explicitly instructed to "Run tests" and "write tests if required" as part of the implementation process. This inherently involves executing shell commands and code within the project environment. While this is the intended functionality, it creates a potential for arbitrary command execution if the input task plan is compromised via indirect prompt injection. - [DATA_EXFILTRATION]: The skill uses user-supplied
$ARGUMENTS(TICKET_KEYandTASK_NUMBER) to construct file paths for reading and writing (e.g.,docs/<TICKET_KEY>-tasks.md). If the execution environment does not strictly sanitize these inputs, it could lead to path traversal attempts, though the risk is localized to the agent's accessible file system.
Audit Metadata