todo-resolve
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from todo files (
*.md) which may contain malicious instructions designed to influence the behavior of the spawned resolver agents (Indirect Prompt Injection surface). - Ingestion points: Reads markdown files from
.context/compound-engineering/todos/andtodos/directories. - Boundary markers: None identified in the provided instructions to delimit untrusted content.
- Capability inventory: Spawns sub-agents (
compound-engineering:workflow:pr-comment-resolver), performs file modifications, executes git commits, pushes to remote repositories, and deletes files. - Sanitization: No explicit sanitization, validation, or escaping of todo file content is documented.
- [COMMAND_EXECUTION]: The skill performs file system operations including file deletions and Git operations (commit and push) during the implementation and cleanup phases.
- [DATA_EXFILTRATION]: The workflow includes pushing committed changes to a remote repository. While standard for development tasks, this involves transmitting local content to an external network endpoint.
Audit Metadata