execute
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill mandates fully autonomous operation ("Never ask the user") and utilizes a
mode: "bypassPermissions"parameter when delegating tasks. These instructions are designed to circumvent standard interaction protocols and permission-based security controls. - [COMMAND_EXECUTION]: The verification process executes shell scripts (e.g.,
sh scripts/lint-arch.sh) and system binaries (go,pnpm,git). This creates a risk of arbitrary command execution if the workspace contents are modified by an attacker. - [PROMPT_INJECTION]: The skill exhibits a high vulnerability to indirect prompt injection due to its ingestion of untrusted external data.
- Ingestion points: Implementation plans located in
brain/plans/, task lists inbrain/todos.md, and user-provided ad-hoc requests. - Boundary markers: Absent; the skill does not specify delimiters or instructions to treat ingested data as non-executable text.
- Capability inventory: Subprocess execution via shell scripts, compilation tools (
go), package managers (pnpm), and agent-spawning tools (Task). - Sanitization: Absent; the agent is instructed to proceed autonomously based on the content of the scoped items without validating the integrity or safety of the instructions contained within.
Audit Metadata