start-feature
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection (Category 8). User-provided feature descriptions and constraints are gathered in Step 1 and subsequently passed to the
technical-discussionskill in Step 3. - Ingestion points: User input gathered via
references/gather-feature-context.md. - Boundary markers: Absent. The user input is interpolated directly into a template for the next skill call in
references/invoke-discussion.md. - Capability inventory: The skill can execute bash commands and invoke other processing skills.
- Sanitization: Absent. There is no filtering or escaping of the user-provided text before it is used to influence the agent's behavior in the discussion phase.
- [COMMAND_EXECUTION] (LOW): The skill utilizes local bash scripts for operational tasks.
- Evidence:
SKILL.mddefines aPreToolUsehook that executes$CLAUDE_PROJECT_DIR/.claude/hooks/workflows/system-check.shand an allowed tool call to.claude/hooks/workflows/write-session-state.shin Step 3. - Context: While these are local scripts intended for environment verification and session persistence, they represent a command execution surface that relies on the integrity of the
.claudedirectory within the project environment.
Audit Metadata