architect
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary workflow involves processing external user requirements to generate technical designs and a
plan.mdfile, which then triggers automated skill chaining. - Ingestion points: User-provided architectural requirements and existing project documentation.
- Boundary markers: Absent. There are no instructions to the agent to treat user requirements as data rather than instructions, nor are there delimiters to wrap external content.
- Capability inventory: The skill is granted
Read,Write, andEditpermissions, and is explicitly commanded to invoke other skills using theSkill({skill: ..., args: ...})pattern. - Sanitization: Absent. The arguments passed to subsequent skills (e.g.,
sw-frontend:frontend-architect) are derived directly from the technology stack defined in the user-influenced plan. - [Unverifiable Dependencies] (MEDIUM): The skill uses a 'phased loading' approach referencing three files in a
phases/directory (01-analysis.md,02-adr-creation.md,03-diagrams.md). These files are not included in the provided package, meaning they could contain malicious instructions or persona overrides that remain hidden during static analysis. - [Command Execution] (LOW): The skill is granted
EditandWritetools. While necessary for its stated purpose of creating ADRs and diagrams, these capabilities provide a high-impact vector for data modification if the agent is successfully manipulated via indirect injection.
Recommendations
- AI detected serious security threats
Audit Metadata