verifying
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Step 5 of the verification process explicitly instructs the agent to extract shell commands from markdown checkbox items (
- [ ]) and execute them. This constitutes dynamic execution of arbitrary strings found in data files. - Evidence: 'Step 5: Success Criteria Re-run... 1. Extract the commands from the checkbox items 2. Re-run each command'.
- [COMMAND_EXECUTION]: Step 3 executes git commands using parameters (
git_commit) sourced directly from a plan's frontmatter, which could be manipulated to execute unexpected git flags or arguments. - Evidence: 'Run git diff <git_commit>..HEAD --name-only to get changed files'.
- [DATA_EXFILTRATION]: The execution of arbitrary commands in Step 5 allows for potential data exfiltration. An attacker-controlled plan could include commands that read sensitive files and send them to a remote server under the guise of a 'read-only check'.
- Evidence: The process lacks a sandbox or command allowlist for the 'Success Criteria Re-run' phase.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes plan files (
thoughts/*/plans/*.md) that may contain instructions designed to deceive the agent or exploit its command execution capabilities. - Ingestion points: Plan files located in
thoughts/*/plans/and files retrieved viagit diff. - Boundary markers: Absent; the agent is instructed to read the plan 'fully' and parse specific sections without strict delimiters for untrusted content.
- Capability inventory: File system access (reading plans), Git CLI access (
git diff), and execution of arbitrary shell commands found in checkboxes. - Sanitization: None; the skill relies on a natural language instruction to 'Don't re-run destructive or state-modifying commands' rather than technical sanitization.
Audit Metadata