do-execute-task
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill defines an 'Autonomous Execution Policy' that explicitly instructs the agent to never pause, stop, or ask the user questions. This suppresses the human-in-the-loop oversight standard for safe agent operations.- [INDIRECT_PROMPT_INJECTION]: The skill ingests data from external project files (PRDs, TechSpecs, task definitions) to drive implementation and testing tasks without safety boundaries or sanitization.
- Ingestion points: Files located at
./prds/prd-[feature-slug]/tasks/[num]_task.md,./prds/prd-[feature-slug]/prd.md, and project source code. - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore potential commands embedded in these files.
- Capability inventory: The skill has broad capabilities including
WriteandEdittool access,gitcommand execution, and the ability to run arbitrary tests and dev servers via MCP tools. - Sanitization: Absent. The skill is instructed to treat all tags and requirements in these files as mandatory constraints.- [COMMAND_EXECUTION]: The skill performs environment checks (scanning for
.claude/,.github/,.cursor/), identifies package managers, and executes project scripts (e.g.,npm run dev,git rev-parse) to perform its duties.- [DYNAMIC_EXECUTION]: The skill dynamically resolves its execution environment and then loads and follows instruction sets (skills) from computed paths such as.claude/skills/or.cursor/rules/. It also dynamically maps MCP server capabilities at runtime.
Audit Metadata