repo-kanban-pm
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/add_daily_pm_cron.shuses theopenclawtool to create a persistent scheduled cron job that runs a PM review task.\n- [EXTERNAL_DOWNLOADS]: The cron job instructions for the agent include runningnpx tsc --noEmit. This involves downloading and executing packages from the npm registry at runtime, which is an external and potentially untrusted source.\n- [PROMPT_INJECTION]: The skill contains an indirect prompt injection vulnerability within the automated daily review process.\n - Ingestion points: The agent reads from
docs/roadmap/ROADMAP.md,docs/features/*/KANBAN.md, and any files indocs/pm/bugs/*.md.\n - Boundary markers: Absent; there are no delimiters or instructions provided to the agent to treat data from these files as untrusted or to ignore embedded instructions.\n
- Capability inventory: The agent has the ability to run shell commands (
npx,gh), modify repository files, and manage pull requests.\n - Sanitization: Absent; the agent is instructed to update the repository state (Kanban and Roadmap) directly based on the contents of these external documents without any sanitization or verification.\n- [COMMAND_EXECUTION]: The
scripts/init_repo_pm.shscript creates a series of directories and files and appends logic toAGENTS.md, which modifies the instructions and constraints for all agents working in the repository.
Audit Metadata