overseer-plan
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill ingests untrusted markdown data which is subsequently processed by the agent and an external Oracle LLM, creating an attack surface for indirect prompt injection. 1. Ingestion points: 'references/implementation.md' (Step 1) reads user-provided markdown files. 2. Boundary markers: Absent; the full markdown content is interpolated into task contexts and prompts. 3. Capability inventory: Access to VCS (git/jj), file system tools, and the 'tasks' MCP API. 4. Sanitization: Absent.
- [COMMAND_EXECUTION] (MEDIUM): Implementation instructions in 'references/implementation.md' direct the agent to generate JavaScript code for the 'tasks' API by interpolating strings extracted directly from the markdown files (e.g., titles). This is a dynamic execution vector; if the agent fails to properly escape special characters, a malicious markdown file could achieve arbitrary code execution within the agent's task management sandbox.
Audit Metadata