do-competitively
Warn
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill uses coercive language such as 'Any deviations will be considered as failure and you will be killed!' and 'Missing it, will result in your TERMINATION imidiatly!' to force adherence to the workflow. This aggressive tone is characteristic of adversarial prompt techniques used to bypass an agent's standard operational constraints.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it interpolates raw user input, including task descriptions and codebase context, directly into the prompts of Meta-Judge, Generator, Judge, and Synthesizer sub-agents.
- Ingestion points: User-supplied variables
{Original task description from user},{relevant_context}, and{task_description}in SKILL.md. - Boundary markers: Absent; user data is placed directly into markdown headers without clear delimiters or instructions to ignore embedded instructions.
- Capability inventory: Sub-agent creation via the
Tasktool and local file system modifications. - Sanitization: Absent; no validation or escaping of external content before interpolation.
- [COMMAND_EXECUTION]: The skill executes shell commands to modify the local environment, specifically
mkdir -p .specs/reportsto prepare a directory for output. - [DATA_EXFILTRATION]: The orchestration process involves passing internal environment variables like
${CLAUDE_PLUGIN_ROOT}and broad codebase context to multiple sub-agent instances, increasing the internal exposure of sensitive system data.
Audit Metadata