Skills
skills/jamie-bitflight/claude_skills/work-milestone/Gen Agent Trust Hub

work-milestone

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill manages a complex lifecycle of parallel background processes using claude -p and git worktree commands to handle multi-agent orchestration.
  • [COMMAND_EXECUTION]: The workflow executes arbitrary shell commands defined in the quality_gates section of the plan/milestone-{N}-dispatch.yaml file. This allows for arbitrary command execution guided by external configuration files.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external sources (backlog items and dispatch plans) and interpolates this content into instructions for spawned sub-agents.
  • Ingestion points: Data is read from plan/milestone-{N}-dispatch.yaml and via the backlog_view tool.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt templates.
  • Capability inventory: Spawned sessions have full orchestrator capabilities, including Agent tool, TeamCreate, and shell access via Bash.
  • Sanitization: There is no evidence of sanitization or validation of the backlog content before it is passed to sub-agents.
  • [COMMAND_EXECUTION]: The skill uses the --permission-mode auto flag when spawning sessions, which bypasses user confirmation for tool execution, increasing the risk of autonomous malicious activity if the agent is compromised via injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 08:41 AM