implement_task
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): Significant vulnerability to Indirect Prompt Injection (Category 8) due to the combination of untrusted data ingestion and high-privilege capabilities.
- Ingestion points: The agent reads 'Continuity ledgers', 'Overall implementation plans', 'Previous task handoffs' (e.g.,
task-NN-*.md), and existing source code files. These files are external to the skill and can contain attacker-controlled content. - Boundary markers: Absent. The skill lacks delimiters or instructions to ignore embedded commands within the ingested data, increasing the risk that the LLM will follow malicious instructions found in code comments or handoff notes.
- Capability inventory: The agent possesses the ability to execute shell commands (
qlty check) and run arbitrary Python modules via a harness (uv run python -m runtime.harness), which can modify the filesystem and execute project-specific scripts. - Sanitization: No input validation or sanitization is performed on the ingested context before it is used to generate command arguments or code modifications.
- COMMAND_EXECUTION (MEDIUM): The skill routinely invokes shell commands and Python scripts with dynamically generated arguments.
- Evidence: Explicit instructions to run
qlty check --fixanduv run python -m runtime.harness scripts/mcp/morph_apply.py. These commands are used to modify project files based on the LLM's interpretation of the task, making the process vulnerable to manipulation through injected context.
Recommendations
- AI detected serious security threats
Audit Metadata