ops-yolo
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Significant vulnerability surface for Indirect Prompt Injection detected.
- Ingestion points: The skill ingests untrusted data from Slack messages, Gmail threads, Linear issues, and GitHub pull request metadata (processed via SKILL.md).
- Boundary markers: Absent. There are no explicit instructions or delimiters defined to prevent the agent from following commands embedded within the external data sources.
- Capability inventory: The skill has high-privilege capabilities including arbitrary shell command execution (
Bash), code merging (gh pr merge), and infrastructure management (the ability to delete or stop AWS resources like ALBs and RDS instances). - Sanitization: Absent. No evidence of input validation or escaping logic for the ingested third-party content is provided.
- [COMMAND_EXECUTION]: Utilizes dynamic context injection (the
!commandsyntax) to execute local binaries and shell scripts at skill load time to collect environment state and billing metrics. - [COMMAND_EXECUTION]: Features an autonomous mode ("YOLO mode") capable of performing destructive repository and infrastructure actions. The risk is mitigated by architectural requirements for user confirmation (
AskUserQuestion) and a pre-execution review phase (EnterPlanMode) for all high-impact actions.
Audit Metadata