gsd-orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to process untrusted data from project repositories to drive its orchestration engine. Evidence: 1. Ingestion Point: XML task definitions are parsed from PLAN-X.md files as seen in 'scripts/validate_plan.py'. 2. Capability Inventory: The manifest defines 'gsd execute' and 'gsd execute-overnight' commands that perform actions based on these plans. 3. Sanitization: No sanitization or filtering of command content is present; 'validate_plan.py' only checks for structural validity and task atomicity. 4. Boundary Markers: While XML tags are used, they provide no protection against instructions specifically designed to override agent behavior.
- Command Execution (HIGH): The 'gsd' command suite facilitates the execution of arbitrary shell commands. The validation logic explicitly encourages the inclusion of specific commands like 'curl', 'bash', 'npm', and 'psql' within the task plans, which are then run during execution or verification phases.
- External Downloads (MEDIUM): An automated scanner alert (URL:Blacklist) indicates a malicious URL exists within 'REQUIREMENTS.md'. Although this file was not provided for manual review, its metadata presence and the scanner hit suggest the potential for malicious dependency installation or remote script fetching.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata