manage-issue-discover
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'by-prompt' mode that accepts strings from arguments and interpolates them into instructions for parallel scanning agents. This creates a risk of direct prompt injection where malicious input could override the agents' primary objectives.\n- [PROMPT_INJECTION]: An indirect prompt injection vulnerability exists because the deduplication agent processes data generated by initial scanning agents. If the codebase contains malicious content or if Wave 1 agents are manipulated, the aggregated results could influence the behavior of the Wave 2 agent.\n
- Ingestion points: User-provided strings in $ARGUMENTS (userPrompt), tasks.csv, and discoveries.ndjson.\n
- Boundary markers: None identified in the provided instruction logic to separate untrusted data from the system prompt.\n
- Capability inventory: The workflow utilizes Bash, Write, Edit, and spawn_agents_on_csv tools.\n
- Sanitization: No explicit sanitization or validation of the user input or file-based findings is implemented before use in agent templates.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool for session setup and orchestrates multiple agents with broad filesystem access. While session variables are timestamp-based, the dynamic generation of instructions (Phase 1 and 2) from untrusted files and prompts could lead to unauthorized command execution if sub-agents interpret injected content as operational commands.\n- [DATA_EXFILTRATION]: The multi-agent scanning process reads source code extensively. A prompt injection attack could repurpose these scanning capabilities to harvest sensitive data (e.g., credentials or configuration files) and include them in the results.csv or context.md files, leading to unintentional data exposure.
Audit Metadata