trellis-meta
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation for multi-session development (references/claude-code/multi-session.md) specifically instructs the use of the
--dangerously-skip-permissionsflag when automating the agent. This flag bypasses the platform's native security prompts, allowing the agent to execute tools without human oversight. - [COMMAND_EXECUTION]: The system architecture implements a hook system that executes arbitrary shell commands defined in user-controlled configuration files (
config.yamlandworktree.yaml). This includes lifecycle hooks (after_create,after_start) and verification commands (Ralph Loop). These locations provide a direct path for command injection if an attacker can influence the configuration content. - [PROMPT_INJECTION]: The skill defines a system architecture that is highly susceptible to indirect prompt injection. Agents are designed to ingest and process unvalidated external files to drive subsequent file operations and command execution.
- Ingestion points: Requirements documents (
prd.md), technical design files (info.md), and JSONL context files located within task directories (referenced in references/core/tasks.md). - Boundary markers: The documentation does not specify or encourage the use of boundary markers or safety delimiters when agents ingest requirements or external specifications.
- Capability inventory: Agents possess powerful tools including
Bash,Write,Edit,Glob, andGrep(documented in references/claude-code/agents.md), providing a high-impact exploitation path if an agent is successfully subverted. - Sanitization: There is no evidence of sanitization or validation protocols for external requirement data before it is interpolated into agent prompts.
Audit Metadata