quick-brainstorm
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection. It is designed to ingest untrusted content from the local environment (files, code, commits) and possesses powerful write capabilities (file creation and editing). There are no boundary markers or sanitization protocols to prevent malicious instructions embedded in the analyzed code from hijacking the agent's logic. Evidence Chain: Ingestion points include 'Task' and 'Context (read files/code/commits)'; Boundary markers are absent; Capability inventory includes 'file-edit', 'file-create', and 'git' commands; Sanitization is absent.
- [COMMAND_EXECUTION] (MEDIUM): The '--worktree' parameter instructs the agent to run 'git worktree add ../quick-brainstorm-'. This command targets a path outside the current project root ('../'), which could be used to manipulate the filesystem beyond intended workspace boundaries.
- [PROMPT_INJECTION] (MEDIUM): The skill uses aggressive, self-referential instructional language ('MANDATORY: Do NOT', 'Violation = immediate stop', 'STOP and return') to override agent behavior. While used here for workflow control, these patterns mirror those used in malicious prompt injections to bypass system constraints.
Recommendations
- AI detected serious security threats
Audit Metadata