Skills
skills/lixu289508/xc-devflow-skills/pm/Gen Agent Trust Hub

pm

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted external data and possessing file-write capabilities.
  • Ingestion points: The agent reads from frontend/, backend/, and prd/index.csv during the 'Research' phase (File: SKILL.md).
  • Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the analyzed source code or existing documentation.
  • Capability inventory: The agent can create directories, write/append to context.md and requirement.md, update index.csv, and copy files to the rd/dev/ directory (File: SKILL.md).
  • Sanitization: No sanitization or validation of the content read from the codebase is performed before it is used to drive automated phases.
  • Data Exposure (LOW): The skill accesses the local filesystem to read source code and indices. While this is expected behavior for a PM tool, it creates a vector for sensitive information to be processed and potentially moved across directories (e.g., from prd/ to rd/dev/).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 11:19 PM