phase-detector
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon the contents of untrusted task files. • Ingestion points: Reads task markdown files (e.g., task.md, research.md, architecture.md, implementation.md) as specified in SKILL.md. • Boundary markers: No delimiters or instructions to ignore embedded commands are used when processing file content. • Capability inventory: Utilizes Bash commands in SKILL.md for file existence checks and generates suggested actions based on file content. • Sanitization: External file content is read and interpreted without prior validation or escaping.
- [COMMAND_EXECUTION]: The skill performs dynamic command generation by interpolating the task name variable directly into shell scripts. • Evidence: The workflow in SKILL.md uses
[ -f "{task_name}/task.md" ]to check for file existence. • Risk: If a task name is maliciously crafted to include shell metacharacters (such as backticks or semicolons), it could lead to arbitrary command execution within the agent's environment during the file discovery process.
Audit Metadata