pm
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill interpolates the original user request directly into the prompt for the product-manager subagent (e.g.,
<original user request>). This creates a standard injection surface where a user might attempt to steer the subagent's behavior beyond the intended discovery process. - [INDIRECT_PROMPT_INJECTION]: The skill reads existing
requirements.mdandmanifest.jsonfiles and provides their contents as context to the subagent in discovery, feedback, and refinement modes. Maliciously crafted content within these files could potentially influence the subagent's reasoning. - Ingestion points:
.claude/specs/groups/<spec-group-id>/requirements.mdandmanifest.json(referenced in SKILL.md step 2 and 3). - Boundary markers: Uses XML-style tags such as
<context>and<requirements.md contents>to delimit data. - Capability inventory: The skill is permitted to use Read, Write, Task, and Glob tools.
- Sanitization: There is no evidence of content sanitization or validation performed on the files before they are passed to the subagent.
Audit Metadata