drift-detection
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerability to Indirect Prompt Injection. The skill reads source code, tests, and PRDs which are untrusted external inputs. A malicious actor can embed instructions in comments or documents that the agent may execute due to its 'Write' and 'Edit' capabilities. Specifically, the 'Drift Detection' workflow encourages the agent to act on findings from these documents to update the implementation. \n
- Ingestion points: File reading via 'Read' and 'Grep' tools, and output from 'spec.py'. \n
- Boundary markers: None present in the instructions. \n
- Capability inventory: 'Write', 'Edit', and 'Task' tools provide significant side-effect potential on the filesystem. \n
- Sanitization: None present. \n- [COMMAND_EXECUTION] (MEDIUM): Hardcoded execution of 'spec.py'. The skill relies on a script located at a specific path (~/.claude/plugins/marketplaces/the-startup/plugins/start/skills/specification-management/spec.py). This is an unverifiable dependency that could lead to arbitrary code execution if the script or the marketplace source is compromised. \n- [COMMAND_EXECUTION] (LOW): Shell command usage. The skill uses 'grep' and 'find' to process untrusted file names and contents, which could lead to argument injection if patterns are not properly escaped by the agent framework.
Recommendations
- AI detected serious security threats
Audit Metadata