file-todos
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection vulnerability. The skill is designed to ingest data from untrusted external sources like 'PR comments', 'findings', and 'feedback' into the 'todos/' directory. It then reads these files to drive workflows. An attacker could embed instructions in a PR comment that, when processed by the agent, lead to unauthorized actions.
- Ingestion points: Markdown files in the 'todos/' directory populated from PR comments and external feedback.
- Boundary markers: None present; the agent treats the content of the markdown files as instructions for state transitions and workflow steps.
- Capability inventory: File system modification ('mv', 'cp'), command execution ('ls', 'grep', 'awk'), and integration with code review workflows.
- Sanitization: No escaping or validation of the content being moved into the 'todos/' directory or read back from it.
- [COMMAND_EXECUTION] (MEDIUM): Extensive use of shell scripts and command interpolation. The skill relies on 'grep', 'awk', and shell loops to manage dependencies and triage items. Maliciously crafted filenames or file contents could lead to arbitrary command execution within the agent's environment.
Recommendations
- AI detected serious security threats
Audit Metadata