workflow-tdd-plan
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes user-provided task descriptions and supplementary materials to generate implementation plans. The 'Auto Mode' feature (--yes) allows bypassing confirmations, which could lead to the unintended execution of instructions if the input contains malicious prompts.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute file searches and run test suites (e.g., npm test, pytest). While these are standard operations, they involve executing local code found within the repository, which could be malicious.
- [PROMPT_INJECTION]: There is a risk of indirect prompt injection as the skill ingests project source code, existing tests, and user-provided supplementary materials to influence task generation. 1. Ingestion points: User input, Phase 0 supplementary materials, and existing project files (source code and tests). 2. Boundary markers: No explicit delimiters or 'ignore' instructions are used in the agent prompts to separate instructions from untrusted data. 3. Capability inventory: The skill can execute Bash commands, write files, and generate tasks for CLI execution via ccw cli. 4. Sanitization: No sanitization or validation of user-provided materials or project content is performed before incorporation into the agent's context.
Audit Metadata