ticket-delivery
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external sources and processes it within the agent context. \n
- Ingestion points: Phase 1.1 fetches ticket details (title, description, criteria) from tools like $TICKET_MCP_TOOL; Phase 1.3 fetches error details from $ERROR_TRACKING_MCP_TOOL; Phase 1.4 fetches log entries from $LOGGING_TOOL. \n
- Boundary markers: None. The instructions do not define delimiters or provide guidance to the agent to treat fetched external data as untrusted or to ignore embedded instructions. \n
- Capability inventory: High. The agent has the capability to execute shell commands ($TEST_COMMAND), database queries ($DB_QUERY_COMMAND), and version control operations (git, $VCS_CLI), providing a significant impact surface for successful injection. \n
- Sanitization: None. The skill does not instruct the agent to sanitize or escape data from external ticket systems before using it to plan or execute changes. \n- [COMMAND_EXECUTION]: The skill constructs and executes shell commands using variables derived from a local configuration file (.supplement.md) and data from external tickets (e.g., $TICKET_ID). This introduces a risk of command injection if the underlying execution environment does not properly sanitize these variables before shell evaluation in Phases 5, 6, and 8.
Audit Metadata