cx-prd
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill executes local shell commands (
git rev-parse,jq,mkdir) during the initialization phase (Step 0) to resolve paths and read configurations. While these are standard utilities, they provide a footprint for command execution on the host machine. - PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted user input via multi-round dialogue and saves it to a local PRD file which then drives further automated actions.
- Ingestion points: Step 3 (Multi-round dialogue) and user-provided functionality names.
- Boundary markers: None identified. The content is directly interpolated into Markdown and JSON templates.
- Capability inventory: Local file writes (Step 5), shell command execution (Step 0), and routing to more powerful automated skills like
cx-plan(Step 8). - Sanitization: None specified. Malicious instructions provided by a user during requirement gathering could be saved into the PRD and later misinterpreted as legitimate system instructions by downstream agents.
- DATA_EXFILTRATION (LOW): The skill contains an optional Step 7 for syncing with GitHub Issues. If configured, local PRD data (including potentially sensitive project metadata gathered in Step 2) is transmitted to GitHub.
Recommendations
- AI detected serious security threats
Audit Metadata