technical-implementation
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill is designed to run shell commands discovered in workspace files like docs/workflow/environment-setup.md and tracking.md. This mechanism allows for execution of commands that are not hardcoded in the skill itself.
- [EXTERNAL_DOWNLOADS] (LOW): The setup instructions provide examples of system package installation (e.g., sudo apt-get install), which involve downloading external software with elevated privileges.
- [PROMPT_INJECTION] (LOW): The skill possesses a significant surface for indirect prompt injection (Category 8). 1. Ingestion points: Reads instructions from docs/workflow/environment-setup.md, .claude/skills/, and implementation plans. 2. Boundary markers: No explicit markers or 'ignore' instructions are used when processing these files. 3. Capability inventory: Includes shell execution (bash), sudo access, and agent dispatching via the Task tool. 4. Sanitization: There is no evidence of validation or sanitization for the commands extracted from documentation.
- [COMMAND_EXECUTION] (MEDIUM): Use of sudo in environment setup instructions indicates potential for privilege escalation if the source documentation is malicious.
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes 'auto' gates for task approval and fix cycles (e.g., task_gate_mode, fix_gate_mode), which can be enabled by the agent or by modifying the tracking.md file. This reduces human oversight and could be exploited to persist malicious changes.
Audit Metadata