crank
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting untrusted data from external plan files and issue descriptions which are subsequently interpolated into sub-agent instructions via TaskCreate calls.
- Ingestion points: Plan files (Step 1) and beads issue descriptions (Step 3).
- Boundary markers: While the skill uses markdown structural markers like headers and backticks to delineate sections, it lacks specific instructions or system-level guardrails to ensure sub-agents disregard potentially malicious instructions embedded within the task data.
- Capability inventory: Spawned sub-agents have significant capabilities including codebase read/write access and the ability to execute implementation tasks through the /implement tool.
- Sanitization: No evidence of input validation or sanitization was found before data interpolation into agent prompts.
- [COMMAND_EXECUTION]: The skill makes extensive use of local shell commands to interact with tools such as git, bash, jq, and specialized CLI utilities (bd, ao) for tracking and knowledge management.
- Evidence: Numerous steps in SKILL.md and references/team-coordination.md involve the execution of shell commands to manage state, verify results, and perform epic orchestration.
Audit Metadata