architect-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The workflow's 'Research' phase (Phase 2) ingests codebase content to create a Knowledge Brief. This content is then used to generate a Strategic Execution Plan (Phase 3). Malicious instructions embedded in the analyzed code could hijack this process. Evidence: .claude/teams/architect.md Phase 2 instructs researchers to map the territory and read file contents. Boundary Markers: No delimiters or specific instructions exist to prevent the model from obeying instructions found within the project files. Capability Inventory: The 'Reviewer' agent (Sonnet/Bash) executes shell commands while 'Implementers' (Opus) modify files in the sandbox. Sanitization: The process relies on an 'Approval Gate' (Phase 4), which requires a human to detect if the generated plan has been compromised.
- Command Execution (HIGH): The skill executes shell commands through the 'Reviewer' agent to verify implementations. If the underlying plan is poisoned via injection, these commands represent a direct execution path for an attacker. Evidence: The skill explicitly calls for 'pnpm test', 'npx tsc --noEmit', and 'pnpm lint' execution in Phase 5 and 6 of the architect team definition.
Recommendations
- AI detected serious security threats
Audit Metadata