brainstorming
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted data from the project environment. ● Ingestion points: Reads current project state including files, documentation, and recent commits (SKILL.md). ● Boundary markers: No delimiters or ignore instructions are specified for separating untrusted project data from the agent's instructions. ● Capability inventory: The skill can write files to the docs/plans/ directory, execute git commit operations, and invoke secondary skills for worktree management and planning (SKILL.md). ● Sanitization: No evidence of validation or filtering for the external content retrieved from the repository.
- Command Execution (MEDIUM): The skill directs the agent to interact with the file system and version control tools. ● Evidence: Explicitly instructs the agent to write design documents to disk, commit changes to git, and utilize git-worktrees for workspace isolation (SKILL.md).
Recommendations
- AI detected serious security threats
Audit Metadata