resolve_todo_parallel
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is vulnerable to instructions embedded in the data it processes. 1. Ingestion points: Reads from /todos/*.md in SKILL.md. 2. Boundary markers: None. The skill does not use delimiters or instructions to treat processed content as untrusted data. 3. Capability inventory: Spawns sub-agents (pr-comment-resolver), writes to files, and executes git commands (commit and push). 4. Sanitization: None. The content of the TODO files is passed directly to the planning and implementation phases.\n- Command Execution (SAFE): The skill performs git operations (commit, push) and task spawning as part of its primary purpose. While these are sensitive operations, they are explicitly defined in the workflow but represent an exploit surface for indirect injection.
Audit Metadata