review-draft-story
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from story files, epics, and architecture documentation. This content is directly interpolated into prompts for specialist sub-agents (PM, UX, SM) in Phase 1. The lack of boundary markers or instructions to ignore embedded commands creates a risk of indirect prompt injection, where malicious text in the story documentation could manipulate the review outcome or trigger unintended orchestrator decisions. Ingestion points: Story files, epic files, and architecture docs read in Phase 0 and 1. Boundary markers: Absent; content is interpolated directly. Capability inventory: Task spawning, TodoWrite, and GitHub CLI commands (merge, close). Sanitization: Absent.
- [COMMAND_EXECUTION]: The skill automates project management tasks using the GitHub CLI (gh pr merge, gh issue close) and shell commands (mv). While these are intended functionalities for a development-focused skill, they provide an execution path that could be exploited if the orchestrator's logic is subverted via injected content in the documentation it processes.
Audit Metadata