project-scaffold
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by serving as a persistence layer for untrusted content that downstream skills are instructed to process.
- Ingestion points: User-provided project titles, research questions, and directory paths are captured during the project initialization and adoption phases and written to local files (Files:
SKILL.md). - Boundary markers: The templates for
project.yamlandREADME.mddo not include delimiters or protective instructions to prevent downstream skills from inadvertently executing instructions embedded in these fields (Files:templates/project.yaml,templates/README.md). - Capability inventory: The skill description explicitly states that other skills in the ecosystem (e.g.,
research-coordinator) will read these files to determine paths and state, effectively placing the unsanitized user content into the agent's reasoning path (File:SKILL.md). - Sanitization: There is no evidence of sanitization or character escaping for the strings written to the metadata files, allowing potential malicious instructions to remain intact for later processing.
Audit Metadata