project-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability surface.
- Ingestion points: 'continue-session.md' and 'wrap-session.md' ingest data from 'SESSION.md', 'IMPLEMENTATION_PHASES.md', and git history ('git log', 'git diff').
- Boundary markers: Absent. The skill reads these files as raw text without using delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can execute shell commands ('git commit', 'git push'), write files to '.claude/rules/', and create GitHub issues.
- Sanitization: Absent. Ingested data is interpolated directly into 'Next Action' decisions and persistent project rules, allowing an attacker to potentially hijack the agent's logic through malicious repository content.
- [COMMAND_EXECUTION] (HIGH): Arbitrary command execution via shell tools. The skill routinely executes 'git add', 'git commit', 'git push', and 'mkdir'. Because these commands are driven by the agent's interpretation of potentially poisoned session data, there is a risk of unauthorized repository modifications or exfiltration.
- [DATA_EXFILTRATION] (MEDIUM): Exposure of potentially sensitive information. The '/brief' and '/release' commands extract information from the conversation and project files to create public or shared artifacts (GitHub issues, releases). Maliciously crafted inputs could trick the agent into including secrets or private data in these public-facing summaries.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Reliance on unverified external sources. The skill is distributed from 'jezweb-skills', which is not a trusted source according to defined security protocols. Additionally, the '/release' command relies on the presence of external binaries like 'gitleaks' and 'npm' without integrity verification.
Recommendations
- AI detected serious security threats
Audit Metadata