technical-planning
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: In
references/output-formats/tick/about.md, the skill instructs the user to install the 'Tick' CLI tool by downloading a script from a remote URL and piping it directly into bash:curl -fsSL https://raw.githubusercontent.com/leeovery/tick/main/scripts/install.sh | bash. This is a dangerous pattern that executes unverified remote code. - [COMMAND_EXECUTION]: The skill constructs shell commands to create tasks via the
tickCLI using descriptions parsed from external specification files. The instructions inreferences/output-formats/tick/authoring.mdonly require escaping double quotes. They fail to sanitize other shell-active characters like backticks (`) or subshell markers ($()), which could allow for command injection if a specification file contains malicious content. - [EXTERNAL_DOWNLOADS]: The skill references external binaries and installation paths for the 'Tick' tool in
references/output-formats/tick/about.md, including Homebrew taps and Go installs from the author's GitHub repositories. - [PROMPT_INJECTION]: The skill handles untrusted data from specification files which are used to generate tasks and influence agent behavior. This creates a surface for indirect prompt injection (Category 8).
- Ingestion points: Specification content provided to
SKILL.mdand read by agents inreferences/read-specification.md. - Boundary markers: No explicit delimiters or boundary warnings are provided in the prompt templates.
- Capability inventory: Execution of shell commands via the
tickCLI, local file manipulation (create/delete), and interaction with the Linear MCP service. - Sanitization: Extremely limited; the instructions only mention escaping double quotes for shell arguments.
Recommendations
- AI detected serious security threats
Audit Metadata