before-after
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines a workflow that ingests and executes commands from external YAML-based 'loom plans', making it vulnerable to indirect prompt injection.
- Ingestion points: External 'loom plans' containing 'truths', 'before_stage', and 'after_stage' definitions.
- Boundary markers: The skill does not provide any boundary markers or instructions to the agent to ignore potentially malicious instructions embedded within the plans.
- Capability inventory: The skill uses 'Bash', 'Write', 'Edit', and 'Read' tools, allowing for significant system impact.
- Sanitization: No sanitization, validation, or escaping of the shell commands defined in the plans is prescribed.
- [COMMAND_EXECUTION]: The skill's primary function is to execute shell commands (e.g., via
truthsorbefore_stagefields) using the 'Bash' tool to verify system state transitions. This intended functionality allows for the execution of arbitrary commands provided in the plan configuration.
Audit Metadata