structured-autonomy-implement
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by design.
- Ingestion points: The agent ingests instructions from an external implementation plan document passed as input at runtime.
- Boundary markers: Absent; there are no delimiters or instructions to treat the implementation plan as untrusted data or to ignore embedded malicious instructions.
- Capability inventory: The agent is authorized to modify files and execute arbitrary shell commands designated as build or test steps.
- Sanitization: Absent; the prompt mandates strict obedience ('MUST NOT skip any steps') to the input document without any filtering or validation logic.
- [COMMAND_EXECUTION]: The prompt explicitly directs the agent to 'run the build or test commands specified in the plan'. This capability allows an attacker to execute arbitrary system commands if they can control the content of the implementation plan.
Audit Metadata