verifier
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It extracts content from external manuscripts and source documents, incorporating it directly into prompts for sub-agents without protection against embedded instructions.
- Ingestion points: Manuscript files (e.g., draft.md) and source materials like interview transcripts (maria.md, jose.md) or literature PDFs.
- Boundary markers: The Haiku agent prompt template in
phases/phase3-verification.mdlacks explicit delimiters or instructions to ignore embedded commands within the[transcript content]or[quote to verify]blocks. - Capability inventory: The agent can read/write files, execute shell commands (git, grep), and spawn sub-agents with specific tasks.
- Sanitization: No validation or escaping is performed on the extracted text before it is used in sub-agent prompts.
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands (
ls,git,grep) using paths and patterns derived from user-provided files. - Evidence:
phases/phase2-mapping.mduseslson paths defined inproject.yaml, which could be exploited if the configuration file is maliciously crafted. - Evidence:
phases/phase3-verification.mdutilizes agreptool with search patterns extracted directly from the manuscript's quotes. If a quote contains shell metacharacters and the tool is invoked via a shell environment, it presents a risk of command injection.
Audit Metadata