alignfirst-coaching
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local Node.js script (
scripts/alignfirst-agent.mjs) which in turn executes theclaudeCLI. This is the primary mechanism for the skill's functionality. The implementation usesspawnSyncwith an argument array, which is a security best practice that prevents shell injection vulnerabilities by ensuring arguments are not interpreted by a shell. - [PROMPT_INJECTION]: The skill facilitates a relay system where user-provided task descriptions are passed to a secondary AI session. This creates an indirect prompt injection surface.
- Ingestion points: External data enters the system through the
--messageargument in thescripts/alignfirst-agent.mjswrapper script, typically originating from ticket descriptions or user answers. - Boundary markers: The script prefixes the message with AlignFirst protocol commands (e.g.,
/alspec), but it does not employ protective delimiters (like XML tags or clear 'end-of-message' markers) to prevent the sub-agent from following instructions embedded within the message. - Capability inventory: The target agent (accessed via the Claude CLI) possesses broad capabilities, including the ability to read and modify the local codebase. Additionally, the wrapper script has permissions to create directories and write log files locally.
- Sanitization: The script does not perform sanitization, escaping, or validation of the message content before passing it to the sub-agent.
Audit Metadata