do-and-judge
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The instructions utilize aggressive language and extreme negative reinforcement (e.g., "you will be killed immediately") to constrain the agent's behavior and tool usage.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it interpolates untrusted user input directly into the prompts of multiple sub-agents.
- Ingestion points: The user-supplied task description is injected into meta-judge, implementation, and judge agent prompts in Phase 2 and Phase 3.
- Boundary markers: No explicit delimiters or instructions are provided to the sub-agents to treat the user input as untrusted or to ignore embedded instructions.
- Capability inventory: The orchestrator utilizes the Task tool to invoke powerful sub-agents (e.g., sdd:developer, sdd:researcher) which typically possess file system and shell access.
- Sanitization: No validation or sanitization of the user input is performed before interpolation.
Audit Metadata