specmgr
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute arbitrary CLI commands defined in generated 'Agent Test Plan' files (Workflow 3c and 5a). These plans are created based on potentially untrusted input documents.
- [REMOTE_CODE_EXECUTION]: Guidelines in the
references/taskcreator.mdfile instruct the agent to generate and execute shell commands, such ascurl, when external data gathering or API interactions are needed during implementation chunks. - [DATA_EXFILTRATION]: The instructions for task creation suggest referencing sensitive environment variables within generated commands that may perform network operations, which could lead to credential harvesting or data exfiltration.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: Workflow 1 reads 'all input/reference files' and 'raw report documents' from the project directory (SKILL.md).
- Boundary markers: Absent. There are no instructions for the agent to use delimiters or to disregard instructions embedded within these external documents.
- Capability inventory: The skill allows file system writes (code, specs, plans) and command execution (test runners, custom agent test plans) across multiple scripts (SKILL.md, taskcreator.md).
- Sanitization: Absent. The skill does not perform validation or escaping of the content extracted from input files before incorporating it into executable plans or code.
- [COMMAND_EXECUTION]: The workflow involves generating implementation code and unit tests which are subsequently executed by the agent to verify the implementation (Workflow 3b, 4b).
Audit Metadata