docfactory-backlog
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection by processing untrusted project documentation into executable tasks for downstream agents.\n
- Ingestion points: Reads from multiple markdown files including project brief, PRD, UI/UX spec, and architecture files (e.g.,
02-prd.md,04-tech-architecture.md).\n - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the ingested source documents.\n
- Capability inventory: The skill generates
06-backlog.mdwhich contains "Verification" steps. The documentation explicitly states these are intended for an IDE agent to execute with "high confidence."\n - Sanitization: Absent. The skill performs no validation or escaping of the content derived from ingested documents before interpolating it into executable fields.\n- [COMMAND_EXECUTION] (LOW): The skill includes and encourages the use of a local Python script for validation.\n
- Evidence:
scripts/validate_docfactory_backlog.pyis used to verify the structure of the output. While benign (using standard libraries for regex and file reading), it represents a command execution surface within the skill's operational workflow.
Recommendations
- AI detected serious security threats
Audit Metadata