pd
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates a high-risk attack surface by ingesting untrusted user input and using it to generate shell commands in a structured output.
- Ingestion points: The skill takes input from users to define 'Quality Gate' commands and 'Acceptance Criteria' (SKILL.md, Step 1 & 2).
- Boundary markers: The output is wrapped in
[PRD]...[/PRD]tags, which provides some parsing structure but does not prevent malicious content within those boundaries. - Capability inventory: The skill instructs the agent to save the resulting PRD to a local file path (
./tasks/prd-[name].md). Furthermore, the PRD is explicitly designed for 'AI Agent execution,' meaning its output directly influences high-privilege downstream automated actions. - Sanitization: There is no evidence of sanitization or validation of the shell commands provided by the user. If a user provides
rm -rf /or a reverse shell as a 'Quality Gate' command, the skill will faithfully include it in the PRD, which a downstream agent may then execute. - Command Execution (MEDIUM): Although the skill itself does not invoke
subprocessorexec, it functions as a command-generation factory for automated environments. By allowing users to specify arbitrary command strings (e.g., in the 'Quality Gate' section), it facilitates the introduction of malicious commands into the system's task pipeline.
Recommendations
- AI detected serious security threats
Audit Metadata