code-auto
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and executes tasks derived from external markdown plan files without human approval.
- Ingestion points: The skill reads data from plan files specified in the
$PLANargument, the./plans/directory, and analysis files in.ai/workspace/analysis/. - Boundary markers: There are no boundary markers or instructions to the model to ignore embedded commands within the external plan content.
- Capability inventory: The skill possesses extensive capabilities including writing to the file system (Step 2), executing code via compilation and test runners (Step 3), and modifying repository history via git commits (Step 5).
- Sanitization: The skill lacks sanitization or validation mechanisms to prevent instructions in the plan from overriding the agent's safety protocols or intended behavior.
- [COMMAND_EXECUTION]: The workflow involves the autonomous execution of system commands for code compilation and testing. Since this execution is driven by the contents of the potentially untrusted plan files, it poses a risk of executing unauthorized code generated by the agent during the automated implementation phase.
Audit Metadata