bf-execute
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the 'yq' command-line tool via bash to programmatically update the 'docs/sprint-status.yaml' file based on the workflow's progression. \n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads untrusted data from local documentation files and user feedback, using this content to parameterize child agent tasks spawned through the 'Task tool'. \n
- Ingestion points: 'docs/sprint-status.yaml', 'docs/reviews/{EPIC-ID}-review.md', and user-provided modification text. \n
- Boundary markers: While the skill uses Markdown headers to separate data, it lacks explicit safety instructions to prevent the agent from obeying instructions embedded within the ingested files. \n
- Capability inventory: The skill can spawn new agent tasks with Opus or Sonnet models, perform file system operations, and execute shell commands. \n
- Sanitization: There is no evidence of data sanitization, validation, or escaping of the content read from external files before it is forwarded to sub-agent processes.
Audit Metadata