req-plan-with-file
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The implementation logic in Phase 3 constructs and executes shell commands using the 'bash' tool to interface with the 'ccw' CLI (e.g., in Step 3.3b and 3.3c).
- [COMMAND_EXECUTION]: Vulnerable string interpolation exists where JSON-stringified data is wrapped in single quotes within a bash call:
ccw issue create --data '${JSON.stringify(issueData)}'. Because JSON.stringify does not escape single quotes, any single quote present in the requirement description or generated issue content will terminate the shell's single-quoted string and allow for arbitrary command injection. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.
- Ingestion points: Phase 2 (Context Collection) reads project metadata and source files using 'Grep', 'Glob', and 'Read' (e.g., package.json, go.mod, src/).
- Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the files it reads.
- Capability inventory: The skill possesses extensive capabilities including 'Bash' for command execution, and 'Write'/'Edit' for file system modification.
- Sanitization: No validation or escaping is performed on the content gathered from the codebase before it is processed by the decomposition logic.
Recommendations
- AI detected serious security threats
Audit Metadata