implement
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to manage a development environment, including 'docker compose', 'pnpm', and custom Bash/TypeScript scripts. It also manages background processes for implementation loops.
- [REMOTE_CODE_EXECUTION]: The skill triggers nested 'claude' CLI sessions in an autonomous loop via 'scripts/implement.sh'. These sessions use the '--dangerously-skip-permissions' flag, bypassing human review for tool usage such as filesystem modifications and shell command execution. The logic executed is determined by prompts generated from external specification files.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from specification files and incorporates it into high-privilege autonomous AI prompts. 1. Ingestion points: Specification files (SPEC.md) are read in Phase 1 and injected into prompts in Phase 2 and scripts/implement.sh. 2. Boundary markers: Injected content is delimited by '=== FILE ===' markers. 3. Capability inventory: The subprocess possesses full filesystem access and command execution capabilities through the Claude CLI. 4. Sanitization: The skill does not perform sanitization or instruction filtering on the specification content before prompt interpolation.
- [DATA_EXFILTRATION]: The autonomous execution of unvetted instructions derived from external data, combined with full filesystem and command access, creates a significant risk of sensitive information being accessed and transmitted externally.
Recommendations
- AI detected serious security threats
Audit Metadata