todo
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill reads from a file in the workspace, which serves as an ingestion point for untrusted data in multi-user or shared environments.
- Ingestion points:
.alma/todos-<THREAD_ID>.mdvia theReadtool. - Boundary markers: Absent; the skill does not use specific delimiters or instructions to ignore embedded commands within the todo list.
- Capability inventory: Limited to
ReadandWriteoperations; no command execution or network access is permitted by the skill's tool definition. - Sanitization: Absent; the skill processes the file content as raw Markdown without validation.
Audit Metadata