moai-workflow-tdd
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (LOW): Vulnerable to Indirect Prompt Injection through the ingestion of external requirement specifications. Ingestion points: The skill instructions in
SKILL.mddirect the agent to 'Read SPEC document for feature scope' and 'Identify test cases from acceptance criteria'. Boundary markers: Absent. There are no instructions to treat the SPEC data as untrusted or to use delimiters to prevent command leakage. Capability inventory: The skill has access to powerful tools includingWrite,Edit, andBashfor multiple language runtimes (pytest, npm, node, cargo, go, etc.) as defined in theallowed-toolssection ofSKILL.md. Sanitization: Absent. No sanitization or validation of the input SPEC is performed before the agent uses it to write and execute code. - COMMAND_EXECUTION (LOW): The skill allows the execution of a broad set of bash commands related to various language ecosystems (e.g.,
Bash(npm:*),Bash(cargo:*)). While aligned with the TDD purpose, this broad access increases the potential impact of a successful prompt injection attack where a malicious spec could trick the agent into running arbitrary commands. - EXTERNAL_DOWNLOADS (LOW): The allowed tools include package managers like
npm,cargo, anduv, which can download and execute external code. While necessary for a development workflow, they represent a potential vector for supply chain attacks if the agent is directed by an untrusted specification to install malicious packages.
Audit Metadata