brainstorming
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from external sources to guide its behavior.
- Ingestion points: In Phase 1, the skill reads content from Linear issue descriptions, comments, and linked documents.
- Boundary markers: There are no explicit instructions provided to the agent to treat the data retrieved from Linear as untrusted or to disregard instructions embedded within those external fields.
- Capability inventory: The skill possesses the ability to read project files (code, CLAUDE.md), write new markdown and HTML files to the filesystem (docs/designs/ and ~/.agent/diagrams/), and trigger the opening of files in a browser.
- Sanitization: The skill implements regex-based sanitization for the issue ID (
^[a-zA-Z0-9]([a-zA-Z0-9_-]*[a-zA-Z0-9])?$) before using it in file paths, which helps prevent directory traversal but does not sanitize the actual content of the generated files. - [COMMAND_EXECUTION]: The skill performs file system operations and interacts with the user's browser based on processed data.
- Evidence: Phase 4 and Phase 5 involve writing files to the local disk and opening an HTML diagram in a browser. If an attacker places a malicious payload in a Linear issue, the AI might reflect that payload into the generated HTML, potentially leading to local script execution or XSS when the user views the diagram.
Audit Metadata