todo
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes
git logusing a timestamp string parsed from theTODO.mdfile. While this is a standard local operation for tracking work, it involves executing a system command with arguments derived from an editable file. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from codebase comments (e.g., TODO, FIXME, HACK) and PRD files (
tasks/prd-*.md). Malicious instructions embedded in these files could attempt to influence the agent's behavior during its inventory and organization tasks. - Ingestion points: Reads arbitrary file contents from the project codebase, PRD files, and the existing
TODO.md. - Boundary markers: No specific delimiters or 'ignore' instructions are used when interpolating scanned content into the agent's context.
- Capability inventory: The skill has permissions to read the filesystem, execute git commands, and write a
TODO.mdfile to the project root. - Sanitization: The skill lacks explicit sanitization or validation logic to verify the integrity of the content it scans before processing or writing it.
Audit Metadata