cdd-boot
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a workflow that is vulnerable to indirect prompt injection by ingesting untrusted repository files and using them to define its operational role.\n
- Ingestion points: The skill reads context from
AGENTS.md,README.md,docs/INDEX.md,docs/specs/blueprint.md,docs/JOURNAL.md, and various fallback files such asTODO*.mdorCHANGELOG*.md.\n - Boundary markers: No delimiters or safety instructions are defined to separate the content read from files from the system instructions;
AGENTS.mdis explicitly treated as the source of truth for the agent's role and response format.\n - Capability inventory: The skill instructions explicitly prohibit writing or modifying files, and the
disable-model-invocationsetting prevents the model from calling tools during execution, effectively limiting the risk of the injection being used to perform unauthorized actions.\n - Sanitization: No sanitization or validation of the documentation content is performed before it is processed by the agent.
Audit Metadata