rstack-team
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes shell commands to check for existing context files and directories (e.g., PLAN.md, CLAUDE.md, .claude/agents) and verify environment variable status.\n- [EXTERNAL_DOWNLOADS]: Fetches resource metadata from the vendor's dashboard at resolved.sh using curl.\n- [DATA_EXFILTRATION]: Transmits the RESOLVED_SH_API_KEY and RESOLVED_SH_RESOURCE_ID to the vendor's API to retrieve configuration data necessary for scaffolding.\n- [PROMPT_INJECTION]: Ingests and processes content from PLAN.md to generate instructions for CLAUDE.md and specialized agent definitions, creating an indirect prompt injection surface.\n
- Ingestion points: The skill reads PLAN.md to derive the business model, strategic priorities, and operational guardrails for the agent team.\n
- Boundary markers: No specific boundary markers or warnings are used to prevent the agent from following instructions embedded within the processed PLAN.md file.\n
- Capability inventory: The skill creates and modifies local files (CLAUDE.md, OPERATING_FRAMEWORK.md, and .claude/agents/*.md) and performs network operations via curl to the vendor domain.\n
- Sanitization: The input from PLAN.md is interpolated directly into templates without sanitization or validation.
Audit Metadata