implement
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Dynamic Execution] (MEDIUM): The skill performs dynamic loading of instruction files from computed paths.
- Evidence: In Phase 3, the agent is instructed to "Read
D:\.claude\skills\{skill-name}\SKILL.md" based on a detected domain. While a table of examples is provided, an attacker could attempt to influence the{skill-name}variable via the implementation plan to perform path traversal and access unintended files on the host system. - [Indirect Prompt Injection] (LOW): The skill exhibits a significant attack surface for indirect prompt injection as it translates untrusted input into code and commands.
- Ingestion points: Implementation plans provided by the user and previous conversation context (Phase 1).
- Boundary markers: Absent; there are no instructions to ignore embedded commands or use specific delimiters for external content.
- Capability inventory: Arbitrary command execution via a "Bash agent", file modification via "TodoWrite", and code implementation (Phase 3).
- Sanitization: Absent; the agent is instructed to identify and execute the scope directly from the input.
- [Command Execution] (LOW): The skill relies on high-privilege sub-agents to perform its core functions.
- Evidence: The workflow explicitly triggers a "Bash agent" for "Multi-step bash operations" and executes build, lint, and test commands (Phase 3 and 4). This is consistent with its primary purpose but increases the impact of successful prompt injection.
Audit Metadata