executing-work-items
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it incorporates external, untrusted data into its decision-making process for code modification.
- Ingestion points: Untrusted data is ingested in
SKILL.mdthroughpm_context.get_itemandpm_context.get_children(Steps 1 and 3), which retrieve work item descriptions, acceptance criteria, and metadata from an external project management tool. - Boundary markers: The skill does not define boundary markers or provide instructions to ignore embedded commands within the ingested work item data.
- Capability inventory: The skill has the capability to identify files for modification, plan implementation strategies, and orchestrate sub-agents to perform code changes (Steps 4, 5, and 6).
- Sanitization: There is no evidence of sanitization, validation, or escaping of the content retrieved from the external PM tool before it is used to guide the agent's implementation plan.
- [COMMAND_EXECUTION]: The skill's core functionality involves high-impact operations including codebase modification and agent orchestration.
- Evidence: Steps 4 and 6 detail the process of identifying files to modify and executing implementation phases, which results in direct changes to the user's source code and environment.
- Mitigation: The skill metadata explicitly sets
disable-model-invocation: true, ensuring that these high-impact actions cannot be triggered automatically by the AI agent and instead require explicit user confirmation.
Audit Metadata