write-a-prd
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability. The skill ingests untrusted content from the user and the repository, which is then used to generate a GitHub issue. Malicious instructions in these inputs could hijack the agent's behavior during the PRD creation process.
- Ingestion points: Steps 1 and 2 in
SKILL.md(user input and repository exploration). - Boundary markers: Absent. There are no instructions to delimit or ignore instructions within the ingested data.
- Capability inventory: The agent has the capability to create GitHub issues (Step 7), which is a persistent side-effect.
- Sanitization: Absent. The skill does not define any validation or filtering logic for the data before it is formatted into the issue template.
- [DATA_EXFILTRATION] (MEDIUM): Risk of sensitive data exposure. The skill's workflow involves reading repository content and publishing a summary to an external platform (GitHub). An attacker could use prompt injection to trick the agent into including sensitive information, such as secrets or private keys found in the repo, into the public-facing PRD. While Step 7 contains a minor instruction to avoid file paths, this is insufficient to prevent intentional exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata