knowledge
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow instructs the agent to interpolate user-provided queries directly into bash commands such as
ao search "<query>"andgrep -r "<query>". This creates a potential shell injection surface if the query parameter is not strictly sanitized by the agent before being passed to the Bash tool. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and synthesizes information from potentially untrusted knowledge artifacts (learnings, research, and plans).
- Ingestion points: The skill reads file content from the
.agents/project directory and the~/.claude/global directory (SKILL.md, Steps 1-5). - Boundary markers: Absent. There are no instructions to use delimiters or ignore instructions contained within the retrieved knowledge artifacts during Step 6 (Synthesize Results).
- Capability inventory: The skill utilizes
Read,Grep,Glob, andBashtools, providing a wide surface for actions if an injection occurs. - Sanitization: No sanitization, validation, or filtering of external content is performed before interpolation into the agent's response context.
Audit Metadata