bugs-to-stories
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Indirect prompt injection surface via bug report ingestion. * Ingestion points: The skill reads untrusted data from tasks/bug-report-*.md in Step 1. * Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the bug report content. * Capability inventory: The skill modifies prd.json in Step 5 and prepares tasks for an autonomous fixing agent (ralph.sh), which likely has file system write access. * Sanitization: None. Data from the bug report is directly interpolated into the description, acceptanceCriteria, and notes fields of the JSON output.
- COMMAND_EXECUTION (LOW): The skill uses local shell commands (ls, cat, jq, cp) for file management. While these are executed via a shell, they are limited to local project files and do not incorporate untrusted input directly into the command string itself.
Recommendations
- AI detected serious security threats
Audit Metadata