work-tracker
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and execute instructions from 'unsupervised tickets' and session logs. Evidence: 1. Ingestion points: The agent is instructed to read contents from 'work/backlog/unsupervised/', 'work/active/', and 'work/.sessions/'. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded prompts are defined in the skill logic. 3. Capability inventory: The skill possesses the ability to create, move, and modify files on the local file system and execute shell commands. 4. Sanitization: Content from these task files is processed and followed directly without validation.
- [COMMAND_EXECUTION]: The skill utilizes the 'grep' shell command to perform indexing and searching across backlog files. While restricted to the project's 'work/' directory, this constitutes the execution of a command-line tool based on local file content.
Audit Metadata