pm-context
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill fetches work item data, including titles, descriptions, and comments, from external PM platforms (GitHub, Jira, Linear) and local markdown files. This content originates from potentially untrusted sources and could contain malicious instructions designed to hijack the agent's behavior.
- Ingestion points: Operations in adapters/github.md, adapters/jira.md, adapters/linear.md, and adapters/markdown.md retrieve external data.
- Boundary markers: No specific delimiters or 'ignore' instructions are used when incorporating fetched data into the agent's context.
- Capability inventory: The skill enables shell command execution via CLI tools and local filesystem modifications in adapters/markdown.md.
- Sanitization: There is no evidence of sanitization or validation for the content retrieved from PM tools.
- [COMMAND_EXECUTION]: Shell Injection Risk in Command Templates. The adapter files provide bash command templates (e.g., in adapters/github.md and adapters/jira.md) that use simple string interpolation for fields like and . If an agent implements these templates by directly substituting user-provided text into the shell commands without proper escaping, it could lead to arbitrary command execution.
Audit Metadata