workflow-test-fix-cycle
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an autonomous feedback loop that processes untrusted external data, creating an indirect prompt injection surface.
- Ingestion points: In Phase 2, the
cli-planning-agentreads.process/test-results.jsonand.process/test-output.log, which contain output from the execution of project tests. - Boundary markers: The prompts do not use specific delimiters or instructions to prevent the subagent from interpreting instructions that might be embedded within the test logs or failure reports.
- Capability inventory: The skill possesses the
Bash,Edit, andWritetools, and can spawn further agents, granting it high impact if the planning agent is manipulated. - Sanitization: No sanitization or filtering logic is present to clean the log data before it is analyzed by the LLM.
- [COMMAND_EXECUTION]: The skill dynamically assembles shell commands using variables derived from the codebase, which can be exploited for command injection.
- Evidence: The
@test-fix-agentexecutesnpm test -- ${affected_tests.join(' ')}whereaffected_testsis a list of files identified by an LLM. - Risk: If the project contains maliciously named files (e.g., using shell metacharacters like backticks or semicolons), these could be executed by the host shell during the test phase.
Audit Metadata