programming-pm
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests deliverables produced by other AI agents and uses that content to generate shell commands and prompts for other specialists.\n
- Ingestion points: Deliverable YAML handoff files (e.g., 'phase1-requirements-handoff.yaml') produced by agents like the 'requirements-analyst' or 'senior-developer'.\n
- Boundary markers: Employs a structured handoff schema and a validation script ('scripts/validate-handoff.py') to verify file formats, but lacks explicit instructional delimiters to ensure that data fields do not contain executable instructions or command bypasses.\n
- Capability inventory: Utilizes the 'Bash' tool to execute 'git', 'yq', and 'ps' commands. It has the authority to write files to '/tmp/' and the local repository.\n
- Sanitization: Uses 'yq' to extract specific fields but fails to sanitize the resulting strings before they are interpolated into double-quoted shell command strings, potentially leading to command injection if the input content contains backticks or subshell markers.\n- [COMMAND_EXECUTION]: The skill performs extensive automation using the Bash tool for workflow management, process monitoring, and Git operations. It relies on a local author-specific synchronization tool ('sync-config.py') located at a hardcoded absolute path ('/Users/davidangelesalbores/repos/claude/sync-config.py').
Audit Metadata