refining-work-items
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified in the workflow for refining work items. The skill ingests external data that could contain malicious instructions.\n
- Ingestion points: Untrusted data is retrieved from a project management tool via
pm-context.get_item(id)inSKILL.md.\n - Boundary markers: The templates (
epic-template.md,feature-template.md,task-template.md) do not implement delimiters or specific instructions to isolate the ingested work item content from the agent's instructions.\n - Capability inventory: The skill instructions grant the agent the ability to write to the project management tool (
pm-context.update_item,pm-context.create_item) and perform filesystem searches (Glob,Grep).\n - Sanitization: No sanitization, validation, or filtering of the external work item content is described in the refinement workflow.\n- [COMMAND_EXECUTION]: The skill triggers codebase analysis using
GlobandGreputilities. While these are standard search operations, they are directed by technical context extracted from potentially untrusted work item descriptions.
Audit Metadata