lambda-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill ingests untrusted content from external sources while maintaining high-privilege write and execute capabilities.
- Ingestion points: Local task database (.beads/issues.jsonl), linked documentation, and GitHub event streams (comments, reviews) via the Dumbwaiter MCP.
- Boundary markers: Absent. No delimiters or instruction-ignore headers are provided to help the agent distinguish between task data and potentially malicious instructions.
- Capability inventory: Git operations (commit, push, rebase), GitHub PR management (gh CLI), and local test suite execution.
- Sanitization: Absent. The agent is instructed to read and mirror external content directly into PR bodies and comments without filtering or escaping.
- [Command Execution] (MEDIUM): The skill frequently executes shell commands like git, gh, and bd. Since it derives inputs for these commands (such as branch names or PR bodies) from untrusted issue data, it is vulnerable to command or argument injection if the agent interpolates these strings unsafely.
Recommendations
- AI detected serious security threats
Audit Metadata