resolve_todo_parallel
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from local files and uses it to drive the behavior of sub-agents.
- Ingestion points: The skill reads all unresolved TODO items from the
/todos/*.mddirectory in the 'Analyze' step. - Boundary markers: There are no boundary markers or instructions telling the agent to ignore embedded commands within the TODO content.
- Capability inventory: The skill has the ability to modify the file system, commit changes, push to remote repositories, and spawn parallel sub-agents (
pr-comment-resolver). - Sanitization: There is no evidence of sanitization or content validation for the data read from the TODO files before it is passed to the sub-agents.
- [COMMAND_EXECUTION]: The skill executes file system and network-related operations through automated git commands.
- Evidence: The 'Commit & Resolve' step explicitly includes 'Commit changes' and 'Push to remote', which involves executing git binaries and interacting with remote servers.
Audit Metadata