start
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes local Python scripts and shell commands to manage development tasks. Specifically, it calls
python3 ./.trellis/scripts/get_context.pyandpython3 ./.trellis/scripts/task.pywith various arguments. These scripts are project-local and represent the skill's primary functional logic. - [PROMPT_INJECTION]: The skill presents a potential command injection surface in Phase 1, Step 2, where user-supplied input such as
<title>and<name>are interpolated into a shell command:TASK_DIR=$(python3 ./.trellis/scripts/task.py create "<title>" --slug <name>). If the agent does not properly escape these inputs, an attacker could provide a task name containing shell metacharacters to execute arbitrary commands. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It explicitly instructs the agent to read and follow instructions from external files like
.trellis/workflow.mdand various files within.trellis/spec/. If these files are modified by an external contributor or attacker, they could contain malicious instructions that hijack the agent's behavior. - Ingestion points:
.trellis/workflow.md,.trellis/spec/**/*, and user-provided task descriptions. - Boundary markers: None. The agent is told to "Follow the instructions in workflow.md" directly.
- Capability inventory: File reading (
cat), local script execution (python3), and implied file system modifications viatask.py. - Sanitization: None. The skill assumes the contents of the
.trellisdirectory are trusted.
Audit Metadata