todo-processing
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to read todo files to understand tasks.
- Ingestion points: Reads .md files from the filesystem (configured in .agent-todos.local.json or defaulting to docs/agent-todos/).
- Boundary markers: Absent. The skill instructions do not specify the use of delimiters or provide a warning to ignore instructions contained within the task files.
- Capability inventory: The agent is permitted to use Bash, Write, Edit, and the Skill tool, providing a substantial attack surface if instructions in a malicious todo file are followed.
- Sanitization: Absent. Task content is directly ingested and processed as instructions without filtering.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for filesystem operations, including finding, sorting, and renaming files using commands like find and mv.
- Renaming logic in Step 2 involves moving files based on computed numeric prefixes derived from directory scans; this presents a command injection risk if filenames containing shell metacharacters are not handled securely by the agent's shell command construction.
Audit Metadata