team-ux-improve
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's 'Tester' role (found in
role-specs/tester.mdandroles/tester/role.md) executesnpm testornpm run test:unit. This results in the execution of scripts defined in the analyzed project'spackage.json, which could lead to arbitrary code execution if the project being analyzed contains malicious test scripts. - [COMMAND_EXECUTION]: Several roles, including the Scanner, Diagnoser, and Implementer, utilize a specialized CLI tool (
ccw cli) viaBashcommands. While this appears to be a vendor-provided tool, it is used to perform analysis and write modifications to the codebase based on LLM outputs. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to the following evidence chain:
- Ingestion points: The
scannerandexplorerroles ingest untrusted data by reading project source files (**/*.tsx,**/*.vue) and querying the codebase via thesearch_contexttool. - Boundary markers: Analysis of the role specifications (
roles/scanner/role.md,role-specs/scanner.md) reveals an absence of boundary markers or instructions to ignore embedded commands within the analyzed project files. - Capability inventory: The skill possesses significant capabilities, including the ability to write/edit files (
Edit,Write), execute shell commands (Bash,npm test), and spawn sub-agents. - Sanitization: There is no evidence of sanitization or validation of the content read from the project files before it is used to influence the agent's logic or code generation phases.
Audit Metadata