flow-interview
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from external task descriptions and local files, then performs high-privilege write operations (updating trackers, rewriting files) based on that data. An attacker controlling a task description could inject instructions to manipulate the agent's output or tool usage.
- Ingestion points: Data enters the agent context via
bd show <id>(external tracker) and reading local file paths (e.g.,SPEC.md). - Boundary markers: There are no defined delimiters or instructions (e.g., 'ignore embedded commands') to isolate the untrusted data from the system instructions.
- Capability inventory: The skill possesses significant write capabilities including
bd update,bd create, and the ability to rewrite any local file path provided by the user. - Sanitization: No sanitization or validation of the content retrieved from external sources is performed before it is used to generate new specs or update the tracker.
- [Command Execution] (LOW): The skill uses a local CLI tool (
bd) to manage task data. - Evidence: Commands such as
bd show,bd update, andbd createare executed with user-supplied or externally-sourced arguments. While primarily for task management, these represent a capability surface for exploitation via injection. - [Unverifiable References] (LOW): The skill logic relies on an external file
questions.mdwhich was not provided for analysis. - Evidence: Instructions direct the agent to 'Read [questions.md] for all question categories and interview guidelines.'
Recommendations
- AI detected serious security threats
Audit Metadata