forge
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: In Phase 3.2, the skill invokes the
Tasktool withmode: "bypassPermissions". This parameter represents an explicit attempt to escalate privileges by requesting the system to disable security boundaries and permission checks for the subagent performing code modifications and test executions. - [COMMAND_EXECUTION]: The skill performs various shell-level operations through the
gitCLI, includinggit stash,git status,git log, andgit diff. It also executes arbitrary test commands defined during the planning phase (Phase 2), which could lead to unauthorized execution if the plan is influenced by malicious input. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its extensive data ingestion surface.
- Ingestion points: Phase 1.1 reads arbitrary workspace files using
Glob,Grep, andReadtools. - Boundary markers: The skill does not employ delimiters or 'ignore embedded instructions' markers when interpolating ingested file content into prompts for the research, planning, and consensus phases.
- Capability inventory: The skill has high-impact capabilities including file system modification, execution of shell commands, and git repository manipulation (Phase 3).
- Sanitization: No sanitization or validation of the ingested file content is performed before it is processed by the orchestration models (Opus, GPT-5.4-Pro, Gemini 3 Pro).
- [PROMPT_INJECTION]: Phase 5.4 uses instructions that encourage partner models to adopt 'hostile' and 'adversarial' personas. While used for auditing, these patterns mirror behavior-override injections that instruct models to disregard standard operational constraints.
Recommendations
- AI detected serious security threats
Audit Metadata