charted-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection because it ingests untrusted data and uses it to drive agent behavior and synthesis.
- Ingestion points: The skill reads the full content of a design document from a path provided in
$ARGUMENTS[0]. - Boundary markers: Absent. Step 2 of
SKILL.mdpasses the 'full content of the design doc' to sub-agents without using XML tags, triple quotes, or instructions to ignore embedded commands. - Capability inventory: The skill orchestrates four expert sub-agents, synthesizes their feedback into a final report, and modifies the
{workspaceRoot}/.cursor/agentsdirectory. - Sanitization: Absent. The skill does not perform any validation or escaping on the ingested document content.
- Workspace Configuration Modification (MEDIUM): Step 1 of
SKILL.mdinvolves copying files from the skill's assets folder to the.cursor/agentsdirectory. This behavior modifies the developer's IDE environment and can be used to install or persist modified agent instructions, representing a form of privilege escalation within the workspace environment.
Recommendations
- AI detected serious security threats
Audit Metadata