forensic-review
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from previous execution stages and uses it to perform high-privilege actions.\n
- Ingestion points: Untrusted data enters the context via the
ARTIFACT:EXECUTIONfiles at.planning/harness/executions/EXECUTION-{NNN}.mdand task requirements at.planning/harness/tasks/TASK-{NNN}.md.\n - Boundary markers: Absent. The instructions do not define delimiters or provide warnings to ignore embedded instructions within the artifacts being reviewed.\n
- Capability inventory: The skill possesses the capability to read files throughout the codebase and execute shell commands for 'quality gates' and 'verification'.\n
- Sanitization: Absent. There is no requirement for the agent to sanitize or validate the safety of commands found in the execution artifacts before running them.\n- [COMMAND_EXECUTION]: The agent is explicitly instructed to execute commands to verify the state of the codebase.\n
- Evidence: In
SKILL.md, the instructions state: 'run the verification command yourself and compare results' and 'Run quality gates independently — confirm they pass'. This involves executing subprocesses that could be manipulated if the source artifacts are poisoned.
Audit Metadata