work
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it incorporates external, untrusted content into its decision-making and implementation workflow.
- Ingestion points: Task descriptions provided via the $ARGUMENTS variable, along with content retrieved from external URLs, GitHub issues, and Pull Requests referenced in the task context.
- Boundary markers: There are no instructions to use specific delimiters or to ignore embedded instructions within the ingested data, increasing the risk of the agent following malicious instructions hidden in the context.
- Capability inventory: The skill has the capability to modify project files (file-write), execute shell commands (linting, formatting, testing), and spawn/coordinate a team of subagents.
- Sanitization: The logic does not specify any sanitization, validation, or filtering of the gathered external context before it influences the agent's actions.
- [COMMAND_EXECUTION]: The skill workflow explicitly includes the execution of shell commands.
- Evidence: Instructions in Steps 3 and 4 direct the agent to run formatters, linters, and test suites. While these are intended for task verification, they represent a capability that could be abused if the task implementation is influenced by a prompt injection attack.
Audit Metadata