design-doc
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from multiple sources to generate actionable user stories for other AI agents.
- Ingestion points: The agent is instructed to read conversation history, the entire codebase (via glob/grep), specific vision documents, and external review files (
docs/design/review-[slug].md) which may contain attacker-controlled content. - Boundary markers: There are no explicit instructions to use delimiters or ignore embedded instructions within the processed data (e.g., within the conversation or codebase comments).
- Capability inventory: The skill has the capability to read any file in the repository and write new files to the
docs/design/directory. - Sanitization: The instructions do not specify any sanitization, escaping, or validation of the external content before interpolating it into the final design document or user stories.
Audit Metadata