start-specification
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill's primary function involves reading and analyzing concluded technical discussion documents (located in
docs/workflow/discussion/*.md) to recommend groupings for specifications. This ingestion of untrusted data from the workspace creates a surface for indirect prompt injection.\n - Ingestion points: As defined in
references/analysis-flow.md, the agent is instructed to read the entire document for every concluded discussion.\n - Boundary markers: The skill does not use specific delimiters or instructions to ignore embedded prompts within the source documents.\n
- Capability inventory: The skill has access to whitelisted Bash commands (mkdir, rm) and specialized state management scripts, and it can hand off execution to the
technical-specificationskill.\n - Sanitization: There is no implemented validation or sanitization of the discussion file content prior to processing.\n- Command Execution (SAFE): The skill employs the
allowed-toolsfrontmatter to restrict Bash execution to a specific whitelist of commands and local scripts (e.g.,discovery.sh,write-session-state.sh). This implementation of least privilege prevents arbitrary command execution and limits the impact of potential script abuse.
Audit Metadata