review
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8). 1. Ingestion points: It reads untrusted content from project plans located in docs/arc/plans/ and from recent conversation history. 2. Boundary markers: The prompts for sub-agents (e.g., Plan: [plan content]) lack explicit delimiters or instructions to ignore embedded malicious directives. 3. Capability inventory: The skill can spawn sub-agents, modify files, perform git commits, and execute shell scripts. 4. Sanitization: There is no evidence of input validation or escaping for the ingested content.
- [COMMAND_EXECUTION]: The skill executes a local shell script at scripts/cleanup-orphaned-agents.sh to manage sub-agent life cycles and references external CLI tools like codex-reviewer and gemini-reviewer.
Audit Metadata