brainstorming
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection due to its core function of reading untrusted data combined with its ability to perform side-effect operations.
- Ingestion points: Accesses project state via 'files, docs, recent commits' as specified in SKILL.md.
- Boundary markers: None detected; there are no instructions to the agent to treat external content as untrusted or to use delimiters.
- Capability inventory: Writing to 'docs/plans/' and '.agent/system/', and execution of git commands ('commit', 'worktrees').
- Sanitization: None detected.
- Risk: An attacker could embed malicious instructions in a README or a git commit message that would be executed by the agent during the brainstorming process, potentially leading to unauthorized file modifications or repo pollution.
- Command Execution (MEDIUM): The skill explicitly instructs the agent to 'Commit the design document to git' and utilize 'superpowers:using-git-worktrees'. While these are functional requirements, they increase the impact of a successful prompt injection attack.
- Metadata Poisoning (LOW): The skill description uses mandatory language ('You MUST use this') to force usage, which can be a deceptive pattern, though here it appears aimed at workflow enforcement rather than malicious bypass.
Recommendations
- AI detected serious security threats
Audit Metadata