gsd
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (CRITICAL): Automated security scanners (URLite) have identified a blacklisted malicious URL within the REQUIREMENTS.md file. This file is a core component of the project's state management and serves as a primary source of requirements for the planning and execution agents.\n- PROMPT_INJECTION (LOW): The skill exhibits a significant surface for indirect prompt injection. \n
- Ingestion points: The gsd-phase-researcher agent utilizes the WebFetch and WebSearch tools to pull implementation details and domain knowledge from external, untrusted sources.\n
- Boundary markers: Absent. The workflow lacks explicit delimiters or system instructions to ignore embedded commands or adversarial instructions within the fetched web content.\n
- Capability inventory: The skill possesses powerful capabilities including Bash command execution, filesystem writing (Write), and file editing (Edit), which are used to implement the generated plans.\n
- Sanitization: Absent. There is no evidence of validation, escaping, or filtering of external content before it is processed by the planner agent to generate executable PLAN.md files.\n- COMMAND_EXECUTION (MEDIUM): The gsd-executor agent and associated workflows use the Bash tool to run tasks defined in the phase-plan.md files. Because these plans are derived from the REQUIREMENTS.md file (which contains a malicious URL) and external research data, they could be poisoned to execute arbitrary shell commands on the host system.\n- DATA_EXFILTRATION (LOW): The skill combines full codebase read access (via the Glob and Grep tools) with external network capabilities (via WebFetch and WebSearch), creating a potential path for the exfiltration of sensitive source code or project metadata.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata