refining-requirements
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It is designed to ingest untrusted data (PRDs) and has significant write/execute capabilities. 1. Ingestion points: The agent reads PRD files (as seen in references/edge-cases.md) and explores local source code (references/scaffolding-patterns.md). 2. Boundary markers: There are no instructions for the agent to use delimiters or ignore instructions embedded within the PRDs it processes. 3. Capability inventory: The skill provides instructions for executing shell commands (find, cat, mkdir, npm) and creating/modifying files across various tech stacks. 4. Sanitization: No sanitization or validation of the PRD content is performed before it is used to generate code or execute commands.
- [COMMAND_EXECUTION] (HIGH): The references/scaffolding-patterns.md file explicitly directs the agent to run potentially dangerous shell commands to explore the project structure and verify code styles, such as 'find . -name "*.controller.js" -type f | head -1 | xargs cat'. If an attacker can influence the filenames or paths in a PRD, they might trick the agent into reading or exposing sensitive files.
- [EXTERNAL_DOWNLOADS] (LOW): The skill includes examples of using curl for administrative tasks (e.g., in references/edge-cases.md). While provided as templates, an agent following these instructions might perform unintended network requests if the input data specifies malicious endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata