parallel
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by interpolating user-provided requirements and feature names into shell command arguments.
- Ingestion points: User requirement descriptions, feature names, and task titles provided through the chat interface.
- Boundary markers: Commands use double quotes for interpolation (e.g., --requirement "") but do not include instructions to escape shell-sensitive characters.
- Capability inventory: The agent can execute local Python scripts, read repository files, and write to the task directory.
- Sanitization: There is no evidence of sanitization or validation of the user-provided data before it is executed as part of a bash command.
- [COMMAND_EXECUTION]: The orchestrator manages tasks by executing various local Python scripts (e.g., plan.py, start.py, task.py) located within the ./.trellis/ directory. These are core components of the provided workflow.
Audit Metadata