team-tech-debt
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because the scanner role ingests project source code which is then used as context for planning and executing code modifications. Evidence:
- Ingestion points: roles/scanner/role.md performs multi-dimension codebase scanning.
- Boundary markers: Absent in roles/executor/role.md and roles/planner/role.md prompts.
- Capability inventory: roles/executor/role.md has write access via ccw cli and Bash execution; roles/coordinator/monitor.md has git and GitHub CLI (gh) access.
- Sanitization: No specific filtering or escaping of ingested source code is performed before processing by the LLM.
- [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with the environment. Evidence:
- roles/executor/role.md uses Bash to execute git and tool-specific commands within a worktree.
- roles/validator/role.md runs development tools including npm test, pytest, tsc, and eslint to validate changes.
- roles/coordinator/monitor.md uses git and the GitHub CLI (gh) to manage worktrees and submit pull requests.
- [DYNAMIC_EXECUTION]: The skill generates and applies code modifications at runtime. Evidence:
- roles/executor/role.md uses an LLM-based tool (ccw cli --tool gemini --mode write) to implement refactors and updates based on the remediation plan.
- roles/validator/role.md includes an auto-fix logic that generates and applies code fixes to resolve regressions found during the validation phase.
Audit Metadata