brainstorm
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface in Phase 3 and Phase 5b. User-provided ideas and project context descriptions are directly interpolated into the prompts of sub-agents (e.g., 'web-search-researcher', 'codebase-locator') and used to parameterize other skills (e.g., the 'adr' skill). Without proper delimiters or sanitization, a malicious idea could influence the behavior of these sub-agents or the content of generated documentation.
- Ingestion points: User-provided core concept and project context in Phase 1 (SKILL.md).
- Boundary markers: Absent; user input is embedded into sub-agent prompts (e.g., '[idea topic]', '[relevant feature area]') without delimiters or instructions to ignore embedded commands.
- Capability inventory: Spawns parallel sub-agents for web and codebase research, invokes the 'adr' skill for documentation, and performs file read/write operations on the local 'docs/' directory.
- Sanitization: No validation or sanitization of the input concept is observed before it is used in downstream tool calls.
- [EXTERNAL_DOWNLOADS]: The skill intentionally invokes a 'web-search-researcher' sub-agent to fetch best practices and industry patterns from the internet. While this is the intended functionality for research, it involves processing untrusted external data based on user-influenced search queries.
Audit Metadata