tdd
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. The orchestrator agent is instructed to read local project documentation (e.g., docs/ARCHITECTURE.md, docs/glossary.md) and interpolate the content verbatim into the prompts of spawned subagents. If these documentation files are modified by an attacker, they could influence the behavior of the subagents.
- Ingestion points: docs/ARCHITECTURE.md, docs/glossary.md, and event model documents are read by the orchestrator (referenced in references/orchestrator.md and references/shared-rules.md).
- Boundary markers: The skill uses a 'Fresh Context Protocol' with headers like WORKING_DIRECTORY, TASK, and CONSTRAINTS to structure subagent prompts.
- Capability inventory: Subagents are granted access to sensitive tools including Edit, Write, Bash, and Grep (described in references/claude-code.md).
- Sanitization: There is no evidence of sanitization or escaping of the content extracted from project files before it is injected into the subagent prompts.
- [REMOTE_CODE_EXECUTION]: The skill uses the Agent tool to execute subagents with dynamically generated prompts. These prompts incorporate data from the local filesystem, allowing the execution of instructions derived from project documentation.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to perform git operations (git add, git commit) and run project test suites as part of the TDD cycle (references in references/commit-prompt.md and references/green.md).
Audit Metadata