pm-architect
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The scripts generate_daily_status.py, generate_roadmap_review.py, and triage_pr.py initialize the Claude Agent SDK with 'permission_mode="bypassPermissions"', which programmatically overrides standard user confirmation prompts for potentially dangerous operations.
- [COMMAND_EXECUTION]: The delegate_response.py script invokes the 'amplihack' CLI tool with the '--auto' flag, enabling autonomous execution of tasks based on prompts constructed from external issue and pull request data.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection in the delegate_response.py script. It retrieves titles, bodies, and comments from GitHub using the 'gh' CLI and injects this untrusted content directly into a delegation prompt for an autonomous agent without sanitization or boundary markers.
- [PROMPT_INJECTION]: The 'Autopilot Decision Logic' specified in REFERENCE.md allows the agent to automatically transition tasks from the backlog to active workstreams based on item descriptions. If a backlog item is created from a malicious source (e.g., an untrusted PR), it could lead to the autonomous execution of malicious instructions.
- [COMMAND_EXECUTION]: Multiple scripts including manage_state.py and session_state.py perform file system operations and execute shell commands (git, gh) using arguments derived from project state files that are updated at runtime.
Recommendations
- AI detected serious security threats
Audit Metadata