work
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of local command-line tools for its operations. This includes task trackers (
bd,br,td), project management tools (lev,cm,cass), and utilities likejqandrg(ripgrep). - Evidence in
SKILL.mdandreferences/tracker-adapter.mdshows the skill dynamically detects and routes commands to these backends (e.g.,bd sync,br search,td add). - [DYNAMIC_EXECUTION]: The skill implements a 'Skill Discovery' mechanism that scans multiple local paths for other agent skills to load at runtime.
SKILL.mddefines a priority list including project-local paths (.claude/skills/,.agents/skills/), global paths, and a skills database.references/sprint-orchestrator.mddescribes a 'Skill Injection Protocol' where the agent reads theSKILL.mdcontent of discovered skills and injects them as system prompt prefixes for spawned subagents.- This represents a medium-severity risk as the agent could be induced to load malicious instructions if an attacker can write a file to a project directory or the local skills database.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process external data, including codebase contents, research results, and user feedback, to generate project artifacts (specs, plans, reports).
- Ingestion points: Filesystem reads via
lev get,grep, andrg(identified inSKILL.mdandreferences/command-matrix.md). - Boundary markers: The skill uses structured templates and 'How To Fill This Out' sections to guide output, but doesn't explicitly define strict delimiters for untrusted data in all contexts.
- Capability inventory: Subprocess execution (
bd,br,td,jq), file-write operations (.lev/pm/*), and network operations (vialev-researchfor online search). - Sanitization: Includes 'Quality Gates' (e.g.,
gate:spec-execute) that require specific checks before proceeding, which serves as a behavioral control.
Audit Metadata