brainstorming
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill possesses a significant indirect prompt injection surface. It is explicitly instructed to 'Check out the current project state first (files, docs, recent commits)' to understand the project context. \n
- Ingestion points: Ingests untrusted data from local project files, documentation, and git commit history (SKILL.md). \n
- Boundary markers: No delimiters, markers, or instructions to ignore embedded commands are present to protect the agent from malicious instructions within the project files. \n
- Capability inventory: The skill has the authority to write to the filesystem ('docs/plans/') and execute git commits. \n
- Sanitization: No sanitization or validation of the ingested project data is performed before it is used to generate the design or commit changes. \n- [COMMAND_EXECUTION] (MEDIUM): The skill performs filesystem writes and git operations (commit) based on the context it processes. \n
- Evidence: Found in the 'After the Design' section of SKILL.md. \n
- Risk: These capabilities act as the execution 'sink' for an indirect prompt injection attack, allowing an attacker to persist malicious content in the repository via the agent.
Recommendations
- AI detected serious security threats
Audit Metadata