Skills
skills/emeraldwalk/skills/task-tracking/Gen Agent Trust Hub

task-tracking

Warn

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The scripts/mock_agent.sh script extracts a file path from the input prompt and executes it using bash. This dynamic execution of a path derived from text content is a risk if the input is manipulated by an attacker or a compromised agent.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because scripts/run_task_loop.sh aggregates task data from JSON files and interpolates it into a new agent prompt without sanitization or boundary markers.\n
  • Ingestion points: scripts/run_task_loop.sh reads task metadata from files in the .tasks/ directory which are written by previous agent actions.\n
  • Boundary markers: Absent. Task content is concatenated directly into the markdown prompt in the build_prompt function.\n
  • Capability inventory: The orchestrator executes claude, gh copilot, and git commands, while mock_agent.sh executes shell scripts.\n
  • Sanitization: Absent. No escaping or validation is performed on task descriptions or verification commands before they are included in the prompt.\n- [COMMAND_EXECUTION]: The orchestration script scripts/run_task_loop.sh uses the --dangerously-skip-permissions flag with the Claude CLI, which disables security guardrails and permission checks for the child agent.\n- [COMMAND_EXECUTION]: The run_task_loop.sh script automatically executes git add -A and git commit using messages derived from task descriptions and notes. This allows an agent to persist project-wide changes and commit history without direct human review of the specific files being modified.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 30, 2026, 05:42 PM