gap-analysis
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands including
cat,jq, andgrepto parse state files. It also runs a Node.js script located at~/stackshift/scripts/run-ast-analysis.mjsto perform deep code inspection and roadmap generation. - [PROMPT_INJECTION]: The skill processes external data that could lead to indirect prompt injection.
- Ingestion points: The agent reads the content of
.stackshift-state.jsonand all specification files within the.specify/specs/directory. - Boundary markers: Absent. The skill does not use specific delimiters or instructions to prevent the agent from obeying commands embedded within the specifications.
- Capability inventory: The agent has the ability to execute shell commands, run local Node.js scripts, and write new documentation files (
docs/gap-analysis-report.md). - Sanitization: None. The content of the processed files is used directly without validation or filtering.
Audit Metadata