schedule
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via the processing of untrusted external data.
- Ingestion points: Data is read from .noodle/mise.json (specifically the backlog array) and various markdown files within the brain/plans/ directory.
- Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when interpolating external content into the extra_prompt or prompt fields of the output JSON.
- Capability inventory: The skill generates .noodle/orders-next.json, which determines the task key, prompt content, and sets the runtime to process for the agent's next execution cycle. It also performs CLI operations via noodle adapter run.
- Sanitization: There is no evidence of sanitization or validation of the text ingested from the backlog or plan files before it is used to generate prompts for the agent. The risk is compounded by the instruction to operate fully autonomously without user confirmation.
- [COMMAND_EXECUTION]: The skill invokes the noodle command-line tool, a vendor-specific resource, to perform actions such as noodle adapter run backlog add. While these calls are part of the core functionality, they represent a path where influenced data could be passed to local system processes.
Audit Metadata