ralph-tui-create-beads
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it ingests untrusted PRD content and processes it into executable task definitions.
- Ingestion points: Processes external PRD markdown/text files to extract 'Quality Gates' and 'User Stories'.
- Capability inventory: Generates shell commands (
bd create,bd dep add) and influences the behavior of the downstreamralph-tuiagent. - Sanitization: None. The skill blindly extracts text from the PRD and interpolates it into command flags like
--descriptionand--title. - Boundary markers: Absent. There are no delimiters or instructions to the agent to ignore embedded commands within the PRD sections.
- [COMMAND_EXECUTION] (HIGH): The skill dynamically assembles shell commands using strings extracted from the PRD.
- Evidence: The 'Output Format' section shows the agent is expected to run
bd createwith descriptions and titles taken directly from the PRD. A malicious PRD title like\"; touch /tmp/pwned; #could result in command injection depending on how the agent's shell interface handles quoting. - Quality Gates: The extraction of commands from the 'Quality Gates' section (e.g.,
pnpm typecheck) allows an attacker to inject arbitrary shell scripts into the agent's workflow by modifying the PRD.
Recommendations
- AI detected serious security threats
Audit Metadata