auto-requirement
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in SKILL.md direct the agent to execute the shell command
npx skills findwith keywords derived from the user's outline. This creates a command injection risk because malicious input in the outline (e.g., command separators or backticks) could be executed by the shell if the agent does not perform strict sanitization of the keywords before command assembly. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted data.
- Ingestion points: Untrusted data enters the agent context through user-provided outlines in Phase 1 and local project files, git history, or technical documentation in Phase 2.
- Boundary markers: The skill employs markdown templates and template variables (e.g., {{OUTLINE}}) for agent prompts, which provide structure but lack robust isolation or escaping mechanisms against adversarial instructions embedded in the data.
- Capability inventory: Capabilities include spawning sub-agents via the Agent tool, executing local shell commands for discovery, and writing requirement documents to the filesystem.
- Sanitization: No explicit sanitization, filtering, or validation logic is defined for the user-provided or project-extracted strings before they are interpolated into the sub-agent prompt templates.
Audit Metadata