auto-iterate
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads external documentation and tool outputs to determine which commands to execute.
- Ingestion points: Governance documents located in the
docs_rootdirectory and the output generated by theplan-nextskill (SKILL.md, README.md). - Boundary markers: The instructions do not define explicit boundary markers or "ignore instructions" wrappers when interpolating data from governance documents into the command execution flow.
- Capability inventory: The skill has high-privilege capabilities, including the ability to execute other skills and shell-like commands based on parsed recommendations (SKILL.md, Behavior section).
- Sanitization: There is no evidence of sanitization or validation for the command arguments derived from external documents, although the skill does implement a hardcoded blacklist ("manual gate") for specific strategic skills like
define-mission(SKILL.md, Rule 2).
Audit Metadata