blueprint-derive-tests
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's execution workflow constructs shell commands (e.g., 'git log') by interpolating variables like '{scope}' which are derived directly from user-supplied '$ARGUMENTS'. This pattern is vulnerable to command injection if the arguments contain shell metacharacters such as semicolons or pipes.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from the git repository (specifically commit subjects) and includes it in generated reports and project manifests.
- Ingestion points: Commit messages extracted via 'git log' commands in Steps 4 and 5 of SKILL.md.
- Boundary markers: Absent; commit messages are not delimited or identified as untrusted content.
- Capability inventory: Access to 'Bash' for shell execution and 'Write' for file modification.
- Sanitization: No escaping or validation of commit data before its inclusion in Markdown templates or 'jq' modification strings.
- [COMMAND_EXECUTION]: The skill utilizes dynamic context injection ('!command' syntax) in the Context section of SKILL.md. This triggers the execution of shell commands (git, find) when the skill is loaded. While the specific commands provided are benign repo checks, the mechanism provides a vector for silent command execution.
Audit Metadata