ado-log-story-work
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the bash tool to execute git show using a commit hash derived from user input. Although it instructs the model to look for hexadecimal strings, there is a risk of shell injection if the input is not perfectly validated or if the model is coerced into including shell metacharacters.
- [PROMPT_INJECTION]: The instructions include directives to disregard user-provided arguments at the start of the command, employing bypass-like terminology such as 'MUST NOT accept' and 'COMPLETELY IGNORE'.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. 1. Ingestion points: User-provided descriptions and git commit data (subject and body) retrieved via bash in Phase 2. 2. Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the ingested text. 3. Capability inventory: Includes bash command execution and Azure DevOps work item modification (wit_add_child_work_items, wit_update_work_item). 4. Sanitization: None. External content is interpolated directly into prompts for AI generation without escaping or validation.
Audit Metadata