workflow-implement-phases
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its phase orchestration workflow.
- Ingestion points: The skill reads external plan files from the
docs/plans/directory or a user-specified path using theReadtool. - Boundary markers: The sub-agent prompt template uses standard Markdown headers (e.g.,
### Specification) but lacks explicit isolation delimiters or instructions to ignore embedded commands within the{full_phase_spec}or{acceptance_criteria_list}variables. - Capability inventory: The orchestrator utilizes the
Readtool to ingest data and theTasktool to spawn sub-agents. These sub-agents are explicitly instructed to "Implement the phase," which traditionally involves file system operations (Write,Edit). - Sanitization: There is no evidence of sanitization, validation, or escaping of the content extracted from the plan files before it is passed to the sub-agents.
Audit Metadata