post-mortem
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of local shell commands and utilities including
git,jq,grep, andsed, along with specialized platform tools likebd(issue management) andao(agent operations) to analyze project progress and automate report generation. - [PROMPT_INJECTION]: The skill implements an automated 'Knowledge Flywheel' that is susceptible to indirect prompt injection (Category 8). It ingests data from commit messages, issue descriptions, and planning artifacts to generate 'learnings' and 'constraints' that are intended to govern future agent behavior.
- Ingestion points: Context is gathered from
git log,bd children,bd show, and various research/plan documents (referenced inSKILL.mdStep EX.1 andreferences/context-gathering.md). - Boundary markers: While data is stored in structured Markdown, there are no explicit security delimiters or instructions to ignore embedded commands within the extracted data.
- Capability inventory: The skill possesses the capability to modify
MEMORY.mdand trigger the compilation of new constraints (Step EX.6), which are then automatically loaded by the agent in subsequent planning and implementation phases. - Sanitization: The skill performs basic abstraction (Step EX.4) to remove local-only references from global learnings, but does not provide semantic sanitization or validation of the content to prevent the promotion of malicious instructions into the agent's long-term memory.
Audit Metadata