pre-mortem
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a shell script 'hooks/finding-compiler.sh' located within the project's directory. This presents a risk of arbitrary code execution if the project being analyzed contains a malicious hook script.
- [COMMAND_EXECUTION]: Shell commands for the 'ao' utility interpolate plan metadata (such as goal or title) directly into arguments: 'ao lookup --query ""'. This creates a command injection surface if the plan content contains shell metacharacters like backticks or semicolons.
- [DATA_EXFILTRATION]: The skill reads project-sensitive files including implementation plans, specifications, and 'PRODUCT.md', and passes their content to the 'ao' tool and the '/council' skill. While functional, this involves transmitting project context to external components.
- [PROMPT_INJECTION]: The skill ingests untrusted plan and spec data for analysis by an LLM-based council without specifying delimiters or instructions to ignore nested commands, making it vulnerable to indirect prompt injection.
- Ingestion points: SKILL.md (Step 1) reads files from '.agents/plans/' and '.agents/specs/'.
- Boundary markers: Absent. There are no explicit delimiters or 'ignore embedded instructions' warnings provided for the judges.
- Capability inventory: Shell execution (ls, ao, bash), file system writes ('.agents/council/', '.agents/findings/registry.jsonl'), and cross-skill calls (/council).
- Sanitization: Absent. No validation or escaping of plan content is performed before interpolation into shell commands or LLM prompts.
Audit Metadata