progress
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes content from multiple local Markdown files, creating a surface for indirect prompt injection (Category 8).\n
- Ingestion points: Content is aggregated from
daily/*.md,blockers/*.md,docs/*.md, anddecisions/*.md.\n - Boundary markers: The skill does not define clear delimiters or provide instructions to the agent to treat ingested data as untrusted content.\n
- Capability inventory: The skill utilizes
Bash,TaskCreate, andTaskUpdate, which could be exploited if malicious instructions embedded in the scanned files are executed by the agent.\n - Sanitization: There is no evidence of sanitization or filtering of the file content before it is processed into the report.\n- [COMMAND_EXECUTION]: The skill employs dynamic context injection (Category 11) to include the current date in its context.\n
- Evidence: The directive
!date +%Y-%m-%din the Context section ofSKILL.mdexecutes at load time.\n - Analysis: This is a benign use of pre-execution commands to provide temporal context, using a standard utility without incorporating user-supplied parameters.\n- [COMMAND_EXECUTION]: The skill configuration includes the
Bashtool and task management utilities despite the description claiming the skill is for read-only synthesis.\n - Analysis: The inclusion of
Bash,TaskCreate, andTaskUpdateinallowed-toolsprovides capabilities that exceed the stated read-only purpose, allowing for system command execution and modification of task data.
Audit Metadata