taskmaster
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The 'FULL Mode' protocol requires the agent to execute shell commands specified in the 'validation_command' column of the 'TODO.csv' file. The skill allows any command that returns a zero exit code, enabling arbitrary shell execution on the host system.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its task artifact files. The agent is explicitly instructed to 'RE-READ' files like 'TODO.csv' and treat them as the authoritative source of truth, bypassing its own memory or internal safety context.
- Ingestion points: '.codex-tasks//TODO.csv' and 'SPEC.md' files read from the project directory.
- Boundary markers: None. The instructions prioritize the file content over the agent's memory.
- Capability inventory: The agent can execute shell commands, perform file system operations, and make network requests.
- Sanitization: There is no validation or escaping of the 'validation_command' strings before they are passed to the shell for execution.
- [DATA_EXFILTRATION]: The skill defines a rule ('Rule 7: Cache before process') that encourages fetching data from external URLs (APIs, web pages) and saving raw results to a local directory. This facilitates network connections to arbitrary, non-whitelisted domains.
Recommendations
- AI detected serious security threats
Audit Metadata