milestone
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core workflow of processing external, potentially attacker-controlled content.
- Ingestion points: The workflow explicitly requires reading
SPEC.mdandplan.mdfrom the project directory (SKILL.md, Phase 1). - Boundary markers: Absent. The instructions do not provide delimiters or clear directives to the agent to ignore any embedded instructions within the processed files.
- Capability inventory: The skill possesses file system write capabilities, specifically the creation and modification of
milestone.md. Depending on the agent's broader environment, this capability could be leveraged to overwrite critical files if an injection is successful. - Sanitization: Absent. There is no logic provided to escape, validate, or filter the natural language content extracted from the input files before it influences the agent's reasoning process.
Recommendations
- AI detected serious security threats
Audit Metadata