check-status
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (MEDIUM): In
scripts/gatherers/linear-gatherer.ts, theteamargument is interpolated directly into a natural language prompt for a headless Claude session without validation, enabling direct prompt injection into the sub-agent's instructions.\n- Data Exfiltration (MEDIUM): Thescripts/gatherers/linear-gatherer.tsscript reads~/.claude/settings.jsonand~/.claude/settings.local.json. These files contain sensitive agent configurations and potential API keys for MCP servers.\n- Command Execution (LOW): The skill relies onBun.spawnto execute multiple local command-line tools. While functional, this represents a significant privilege surface area.\n- Indirect Prompt Injection (LOW): The skill gathers untrusted data (PR and Issue titles) and presents it to the agent without sanitization or boundary markers.\n - Ingestion points:
github-gatherer.ts(PR titles),linear-gatherer.ts(Issue titles),beads-gatherer.ts(Issue titles).\n - Boundary markers: Absent; uses standard Markdown formatting.\n
- Capability inventory: Shell access to VCS and issue tracking tools across all gatherer scripts.\n
- Sanitization: None; text is interpolated directly into the final report.
Audit Metadata