create-prd
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface detected in
scripts/prd_scaffolder.py. The script accepts user-controlled strings via--product-name,--objective, and--segmentsflags and interpolates them directly into a markdown template. This generated content is subsequently processed by the agent as part of the primary workflow, creating a path for malicious instructions to influence agent behavior. - Ingestion points: Command-line arguments in
scripts/prd_scaffolder.py(file path:scripts/prd_scaffolder.py). - Boundary markers: No delimiters or warnings are used to wrap the injected content in the generated output.
- Capability inventory: The agent has file system access and is instructed to fill, review, and share the generated document (file path:
SKILL.md). - Sanitization: The script performs no escaping or validation of the input strings before interpolation.
- [PROMPT_INJECTION]: Deceptive metadata poisoning. The skill includes a future update date of
2026-03-04and cites a '2025 Carnegie Mellon SEI study' to support its methodology. These appear to be fabricated or misleading claims used to lend undue authority to the provided framework. - [COMMAND_EXECUTION]: Arbitrary file write capability. The
scripts/prd_scaffolder.pyutility includes an--outputflag that allows the user or agent to specify any file path for the output. If the path is not validated by the executing platform, this could be used to overwrite sensitive files or configuration files.
Audit Metadata