system-design
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs automated shell operations using
gitto synchronize the working environment and push changes to a remote repository. It is explicitly configured to bypass the confirmation step for push operations.\n - Evidence:
SKILL.md(Phase 7) contains the instruction: "Do not ask for additional push permission once this skill is invoked."\n- [COMMAND_EXECUTION]: The skill attempts to execute a local Python script to maintain repository metadata, which constitutes dynamic execution of local code.\n - Evidence:
SKILL.md(Phase 6) callspython3 scripts/update_readme_ideas_index.pyif the project is within an ideas repository.\n- [PROMPT_INJECTION]: The skill contains instructional overrides that mandate certain behaviors and suppress standard safety or confirmation prompts.\n - Evidence: Use of "mandatory" markers and explicit instructions to "Do not ask for additional push permission" in
SKILL.md.\n- [PROMPT_INJECTION]: The skill's primary workflow involves processing untrusted external data (PRD files) to generate output and perform repository actions, creating an attack surface for indirect prompt injection.\n - Ingestion points:
prd.md,idea.md, andvalidate.mdin the project folder.\n - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the ingested files.\n
- Capability inventory: Writing files, executing shell commands (
git), and executing local scripts (python3).\n - Sanitization: Absent. No validation or filtering is applied to the content extracted from the PRD files.
Audit Metadata