executing-single-task
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes a 'Required First Step' that forces the agent to invoke
using-superpowersand other skills before responding. This attempt to pre-set the agent's state or behavior overrides standard reasoning. - [COMMAND_EXECUTION]: The workflow involves executing
task.stepsand verification commands provided in aplan_file. This architecture allows for arbitrary command execution based on external, potentially untrusted data. - [PROMPT_INJECTION]: The skill represents an indirect prompt injection surface due to its ingestion of instructions from a JSON file without validation.
- Ingestion points: The
plan_fileabsolute path and thetask.stepscommand list. - Boundary markers: Non-binding instructions to prefer specific files are present, but no strong delimiters or safety warnings are used to isolate untrusted data.
- Capability inventory: The skill possesses the ability to read and write files, execute shell commands, and create git commits.
- Sanitization: The skill lacks any mechanism to sanitize or validate the commands or paths provided in the input file.
Audit Metadata