brainstorming
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability.
- Ingestion points: The skill is instructed to "Check out the current project state first (files, docs, recent commits)" (SKILL.md). These sources are potentially attacker-controlled.
- Boundary markers: There are no requirements to use delimiters or ignore instructions found within the project files.
- Capability inventory: The skill has the power to write files to the filesystem and execute
git commit(SKILL.md). - Sanitization: No sanitization or validation of the ingested project data is mentioned.
- Risk: Malicious instructions embedded in project documentation or commit messages could hijack the brainstorming process to generate backdoored designs or execute unauthorized git operations.
- [COMMAND_EXECUTION] (LOW): Intentional command execution for workflow automation.
- The skill is designed to write design documents to
docs/plans/and performgit commit. While these are functional requirements, they provide the necessary side effects for an indirect prompt injection attack to persist malicious content in the repository.
Recommendations
- AI detected serious security threats
Audit Metadata