todo
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design. It treats the contents of the
TODO.mdfile as authoritative instructions for its next actions. - Ingestion points: The agent reads
TODO.mdfrom the project root (SKILL.md, Instructions step 1). - Boundary markers: There are no delimiters or instructions provided to the agent to treat the task descriptions as untrusted or to ignore embedded commands/system overrides.
- Capability inventory: The agent is authorized to find files, implement solutions (file write/modify), and run tests (command execution).
- Sanitization: No sanitization or verification of the task string is performed before the agent attempts to 'Implement the solution'.
- [COMMAND_EXECUTION]: The skill explicitly directs the agent to 'Verify it works (run tests if applicable)'. This grants the agent permission to execute arbitrary shell commands or scripts based on the logic required by the task found in the untrusted
TODO.mdfile.
Audit Metadata