feature-pipeline
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection as it processes external, potentially untrusted design files to drive agent actions.
- Ingestion points: Task titles, file lists, and acceptance criteria are read directly from design markdown files (e.g., docs/designs/xxx.md).
- Boundary markers: Absent. The skill contains no instructions to delimit untrusted data or ignore embedded commands within the markdown checkboxes.
- Capability inventory: The agent is granted the capability to modify the filesystem ('IMPLEMENT') and execute verification scripts ('VERIFY'), posing a risk if tasks contain malicious payloads.
- Sanitization: Absent. There is no validation of the task content before execution.
- [PROMPT_INJECTION] (LOW): The 'Unattended Mode' instructions ('NO stopping for questions', 'NO asking for clarification') deliberately suppress the agent's ability to identify and report suspicious or malicious instructions in the design documents.
- [COMMAND_EXECUTION] (SAFE): The skill executes a local script
scripts/task_manager.pyto manage implementation state. This is a routine operation for the skill's stated purpose.
Audit Metadata