sidequest
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's Phase 0 workflow constructs shell commands (e.g.,
lev get,grep,bd list) using keywords extracted directly from user-provided job descriptions. The absence of explicit sanitization logic for these variables creates a risk of command injection if a user provides a malicious job description containing shell metacharacters. - [DATA_EXFILTRATION]: Phase 3 (Multi-Model Dispatch) sends synthesized research findings to external providers including OpenAI, Google, and Anthropic. Because the skill gathers context from the local codebase, task history, and memory in Phase 0, there is a risk that sensitive internal data could be transmitted to these external services.
- [PROMPT_INJECTION]: The skill operates as an autonomous agent that interprets and executes untrusted job descriptions. This design has a surface for indirect prompt injection, where instructions embedded in a task (e.g., 'sidequest: delete the database') could be followed without sufficient human verification or boundary checks.
Audit Metadata