write-sdd
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local Python script (scripts/check_sdd_structure.py) via a shell command that interpolates a user-provided directory path (--docs-dir ). This creates a risk of command injection or path traversal if the agent ignores the provided safety constraints. Note that the skill instructions contain a direct contradiction: it warns against building shell commands with user-provided paths while simultaneously requiring the agent to do so for the validation step.
- [PROMPT_INJECTION]: The skill's security model relies heavily on the agent adhering to instructions in the SKILL.md file, specifically the 'Output Path Safety' and 'Mandatory preflight sequence' sections. An attacker could use injection techniques to bypass these rules, potentially leading to unauthorized file writes or execution of the validation script with malicious arguments.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data such as Project Requirement Documents (PRDs) and existing Software Design Documents (SDDs).
- Ingestion points: The workflow in SKILL.md (Step 1) involves reading repository documentation and external project context files like evals/fixtures/review-only-input-sdd.md.
- Boundary markers: The instructions do not define clear delimiters to separate untrusted document content from the agent's system instructions.
- Capability inventory: The skill has the ability to write files to the local filesystem (e.g., docs/SDD.md) and execute a local script (scripts/check_sdd_structure.py) via the python3 command.
- Sanitization: Although 'Output Path Safety' rules exist for file paths, there is no guidance on sanitizing the content of ingested documents to prevent embedded instructions from influencing the agent's output.
Audit Metadata