workflow-feature-shipper
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from
feature.mdto drive the entire planning and implementation process without defined sanitization or boundary markers. - Ingestion points:
feature.mdin Step 1. - Capability inventory: The skill has the ability to write files to the repository, run build commands, execute tests, and call external tools (Steps 7, 8, and 10).
- Sanitization: No sanitization or validation of the input requirements is mentioned.
- [Command Execution] (HIGH): The skill executes build and test processes, which involve running arbitrary commands in the local environment.
- Evidence: Step 8 ("Verification: can run, can build (and existing tests pass)").
- [Remote Code Execution] (HIGH): The skill implements features by generating and modifying source code, which is subsequently executed during the verification phase.
- Evidence: Step 7 ("Implement (batch execution + checkpoints)") and Step 8 ("Verification").
- [Persistence Mechanisms] (MEDIUM): The skill attempts to modify the environment by offering to install project-level hooks, which can be used to maintain access or trigger malicious code on git events.
- Evidence: Step 0 ("If missing, offer to install project-level hooks").
Recommendations
- AI detected serious security threats
Audit Metadata