status-reporting
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core function is to ingest data from external platforms where content is controlled by third parties.
- Ingestion points: Reads data from 'Code Review' (PRs/MRs), 'Issues' (Linear/Jira), and 'CI/CD' (error logs) as defined in the 'Data Sources' section of SKILL.md.
- Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are defined for the aggregated output.
- Capability inventory: The skill explicitly requires 'shell access' and executes local scripts (
./scripts/sitrep.ts). The agent is instructed to use the report to 'Identify attention-needed items' and 'Plan work'. - Sanitization: No sanitization logic is mentioned for the text gathered from external titles, bodies, or comments.
- Command Execution (MEDIUM): The skill relies on shell execution of a local TypeScript script and various CLI tools.
- Evidence: The
<scripts>section defines the execution of./scripts/sitrep.tswith various flags. - Risk: If the script logic or the agent's interpretation of the script's output is compromised via indirect injection, the 'shell access' capability provides a high-impact exploitation path.
- Data Exposure (LOW): Accesses sensitive repository and project metadata.
- Evidence: Queries VCS state, PR decisions, and internal issue trackers.
- Detail: While consistent with the skill's purpose, the aggregation of this data into a single report increases the impact of potential exfiltration if a prompt injection occurs.
Recommendations
- AI detected serious security threats
Audit Metadata