tidy
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically constructs shell commands such as
mv,rm -rf, andgit logusing strings parsed from local markdown files (e.g., topic names, file paths). If these files contain shell metacharacters like semicolons, backticks, or command substitution sequences, it could lead to arbitrary command execution on the host system. - Evidence: Direct interpolation of variables
[topic],[plan], and[file-paths]into bash execution blocks for archiving, deleting, and status checking. - [PROMPT_INJECTION]: The skill processes untrusted content from markdown files to determine its workflow, creating a surface for indirect prompt injection.
- Ingestion points: Plan files located in
docs/arc/plans/*.mdanddocs/plans/*.md(SKILL.md). - Boundary markers: Absent. There are no delimiters or instructions to the agent to ignore embedded instructions within the files being processed.
- Capability inventory: File system modification (
mv,rm,mkdir), version control history access (git log), and user interaction (AskUserQuestion). - Sanitization: Absent. No evidence of validation, escaping, or filtering for extracted content before it is used in logic or commands.
Audit Metadata