team-update
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from team chat channels.
- Ingestion points: External chat messages are read from configured channels (Slack, Google Chat, Discord, Teams) during the feedback triage phase in
SKILL.md(Phase 3a). - Boundary markers: There are no explicit delimiters or specific instructions provided to the agent to treat ingested chat data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill has permissions to post messages to external chat channels, create issues in trackers like GitHub or Jira, and create tasks via MCP tools (as detailed in the Autonomy Rules in
SKILL.md). - Sanitization: The instructions do not describe any sanitization, escaping, or validation of the external chat content before it is used to draft replies or create issues.
- Mitigation: The risk is mitigated by a mandatory human-in-the-loop requirement. The skill must show previews and obtain explicit user approval before posting to external channels (Phase 2b) or creating issues/tasks (Phase 3c).
- [COMMAND_EXECUTION]: The skill executes local shell commands to interact with the Git repository.
- Evidence:
SKILL.mdandreferences/discovery-patterns.mdusebashto rungit rev-parseandgit log. These commands are used to verify the repository status and collect commit history for generating updates, which is the primary purpose of the skill.
Audit Metadata