implement
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill uses
$ARGUMENTSand processes external files (plan files, spec files, andAGENTS.md) which could contain malicious instructions designed to manipulate the agent's behavior during the implementation phase. Specifically, the 'Inline task' feature and 'Spec file' parsing allow external text to influence the agent's logic flow. - [COMMAND_EXECUTION] (LOW): The skill dynamically detects and executes shell commands for 'gates' (typecheck, test, lint) by reading
AGENTS.md,package.json, orMakefile. While this is the primary purpose of the skill, an attacker who can modify these local configuration files could achieve arbitrary command execution when the skill is triggered. Evidence found in Phase 3 'Gate command detection'. - [DATA_EXFILTRATION] (SAFE): While the skill performs network-like operations (invoking other skills), it explicitly states 'do NOT push' for git operations, reducing the risk of unauthorized data exfiltration to remote repositories.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted data from plan files and spec files.
- Ingestion points:
SKILL.mdPhase 1 (File path, Spec file), Phase 3 (Gate command detection). - Boundary markers: Absent. The skill treats the content of plan files as trusted instructions for implementation.
- Capability inventory:
git commit, shell command execution via detected gates (Phase 3), and file modification (Phase 2). - Sanitization: None detected. The agent is instructed to 'implement each task' directly from the input.
Audit Metadata