developer-agent
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface.
- Ingestion points: The skill ingests untrusted user-provided links and attachments in
SKILL.md(Stage 5) andreferences/workflow-details.md. - Boundary markers: Minimal delimiters are used (e.g., "Attached Resources" header in
references/workflow-details.md), but there are no explicit instructions to the receiving agent to treat the content as untrusted data or ignore embedded instructions. - Capability inventory: The skill has high-impact capabilities including local shell command execution (
pnpm build) and repository modification via git operations (SKILL.md, Stages 8 and 9). - Sanitization: No sanitization is performed. In fact,
references/cursor-guidelines.mdexplicitly mandates including "ALL user-provided links" and "ALL user-provided attachments" when prompting the sub-agent. - [COMMAND_EXECUTION] (SAFE): The skill performs shell command execution to manage the development lifecycle.
- Evidence:
pnpm build,git checkout,git commit, andgit pushcommands are found inSKILL.md(Stages 2, 8, and 9). - Context: These operations are necessary for the skill's primary purpose as a developer orchestrator and do not involve immediate execution of remote or untrusted scripts.
Audit Metadata