red-team
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests broad shell access via the Bash tool, which allows the execution of arbitrary commands on the system.
- [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection because it ingests data from local markdown files and interpolates it into prompts for secondary background agents spawned via the Agent tool.
- Ingestion points: Reads target brief files from the 'thoughts/think/' directory as specified in the invocation logic.
- Boundary markers: Relies on standard markdown formatting to delimit content but lacks explicit instructions for sub-agents to ignore instructions contained within the ingested text.
- Capability inventory: The skill and its sub-agents have access to powerful tools including Bash, Agent (subprocess spawning), Write, SendMessage, and WebFetch.
- Sanitization: There is no evidence of input validation or escaping for the ingested content before it is passed to secondary agents.
Audit Metadata