write-incident-runbook
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes potentially untrusted data (incident names and descriptions) and utilizes that data within its execution context.
- Ingestion points: 'Incident or alert name/description' and 'Historical incident data' defined in SKILL.md.
- Boundary markers: Absent. There are no delimiters or instructions to treat external data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill uses the Bash tool to execute kubectl (cluster management), git, and curl.
- Sanitization: Absent. The skill does not specify validation or escaping for user-provided incident data before it is processed.
- [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to run infrastructure management commands such as 'kubectl rollout undo', 'kubectl scale', and 'kubectl set env', as well as database queries via SQL. While these tools are essential for the skill's stated purpose of incident resolution, they grant the agent the ability to modify live infrastructure and data, which could be exploited if the agent follows malicious instructions embedded in incident descriptions.
Audit Metadata