deep-work
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted data from the codebase being researched.
- Ingestion points: The agent is instructed to "Read every file in the target area" and read user-provided annotations in
.claude/plan.md. - Boundary markers: Absent. The instructions do not include delimiters or warnings to ignore embedded instructions within the files being read.
- Capability inventory: The skill possesses file read/write capabilities (creating
.claude/artifacts) and command execution capabilities (running linters and type checkers). - Sanitization: Absent. There is no evidence of filtering or escaping content read from the codebase before it is used to generate plans or research documents.
- [COMMAND_EXECUTION] (LOW): The implementation phase requires the agent to "Run the project's type checker / linter after each phase." While standard for development, this relies on executing commands defined in the local environment's configuration (e.g., package.json scripts), which could be manipulated by an attacker who has modified the project's configuration files.
Audit Metadata