signoff-flow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it uses external data to drive its core logic and decision-making. If an attacker can influence a repository's files, they can manipulate the agent's behavior.
- Ingestion points: The skill reads critical configuration from
_bmad-output/governance/governance.yamland_bmad-output/initiatives/<key>/state.yamlinside the user's project directory. - Boundary markers: None detected. The skill lacks delimiters or instructions to ignore embedded commands within the processed files.
- Capability inventory: The skill possesses high-impact capabilities including creating GitHub Pull Requests (
gh), creating Jira tasks (acli), and modifying local file systems. - Sanitization: No sanitization or validation is performed on the data read from files before it is used to construct shell commands.
- [COMMAND_EXECUTION] (HIGH): The skill's primary function involves executing powerful CLI commands (
gh,acli,git) that operate with the user's personal credentials. When combined with the lack of input sanitization from external files, this allows for potential unauthorized actions on the user's GitHub and Jira accounts. - [EXTERNAL_DOWNLOADS] (MEDIUM): The README.md directs users to install the skill and associated tools from an untrusted personal GitHub repository (
kikeacevedo/signoff-flow-skill). This bypasses standard security vetting processes of official repositories.
Recommendations
- AI detected serious security threats
Audit Metadata