backlog
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted feature descriptions from a backlog file, which are then used to generate implementation plans. This creates a surface for indirect prompt injection.\n
- Ingestion points: The
triageragent reads task descriptions from.backlog/backlog.mdand populates PRD files (triage/SKILL.md).\n - Boundary markers: Absent. The instructions do not specify any delimiters or safety prompts to isolate user-provided task descriptions from the agent's instructions.\n
- Capability inventory: The
implementeragent (implement/SKILL.md) has the capability to modify source code and execute git commands as well as project-specific linting and testing tools.\n - Sanitization: The workflow relies on manual human verification of the 'approved' status in the PRD and Plan files before the implementer agent acts.\n- [COMMAND_EXECUTION]: The
implementeragent is instructed to execute local system commands to manage the development branch and verify changes.\n - Evidence: In
implement/SKILL.md, the agent is directed to usegit pull,git checkout,git rebase, andgit commit. It is also instructed to 'Run relevant lint/tests'.\n - Mitigation: The skill includes explicit rules against
git push, force pushing, and automatic PR creation, which limits the scope of command execution to the local environment.
Audit Metadata