1on1
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its data ingestion process.
- Ingestion points: Reads content from user-provided file paths (specs, reports, PRs) and external web search results as defined in Phase 1 of SKILL.md.
- Boundary markers: Absent; the instructions do not implement delimiters or specific warnings for the agent to ignore instructions embedded within the ingested documents.
- Capability inventory: Employs file system tools (Grep, Read, Glob) and creates workflow tasks (TaskCreate) in SKILL.md.
- Sanitization: Absent; there is no mention of escaping or validating the content retrieved from external sources before it is used to build the DECIDE.md brief.
- [COMMAND_EXECUTION]: The skill executes automated codebase exploration using Grep, Read, and Glob. It also creates tasks to manage the workflow and writes the final brief to the /tmp directory. These operations are within the expected scope of the skill's functionality.
Audit Metadata