brainstorm-solution
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted data from external files and user input to drive AI decision-making and filesystem operations without adequate isolation. • Ingestion points:
--docsparameter and interactive prompts for constraints/brief. • Boundary markers: None (Step 5 and 6 process this content directly). • Capability inventory: Directory creation (Step 3) and file writing (Step 8, 9) within thedocs/directory. • Sanitization: None provided for the content of documentation or user strings. - [Data Exposure] (MEDIUM): The
--docsargument allows an attacker to point the agent at sensitive local files (e.g.,.envor SSH configs). Since the agent is instructed to use these files as context for brainstorming, it may leak their contents into the resulting session files or summary. - [Command Execution] (LOW): The skill performs directory creation (
mkdir) based on user-provided strings (feature-slugderived frombrief). While limited to thedocs/tech-brainstorm/path, a lack of slugification logic could lead to path traversal if the agent does not properly sanitize the input.
Recommendations
- AI detected serious security threats
Audit Metadata