ratatouille
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to faithfully execute tasks defined in an external file (
prd.json). - Ingestion points: The skill reads
prd.jsonandprogress.txtat the start of every iteration to determine its actions. - Boundary markers: There are no markers or system instructions to prevent the agent from obeying instructions embedded within the task descriptions.
- Capability inventory: The skill can modify project files, run arbitrary test commands (
qa), and perform git operations (commit). - Sanitization: No validation or filtering is performed on the task data before it influences the agent's behavior.
- Command Execution (HIGH): The 'Workflow' section (Step 6) explicitly commands the agent to 'run relevant tests/checks' and 'create an atomic commit'. This implies shell access. If a malicious task specifies a command as part of the 'qa' process, the agent will likely execute it.
- Recursive Handoff (MEDIUM): Step 7 implements a recursive mechanism where the skill re-triggers itself. If an attacker injects a series of malicious tasks into
prd.json, the agent could automate an entire attack chain (e.g., modify file -> test/execute -> commit/push -> loop) with minimal user oversight.
Recommendations
- AI detected serious security threats
Audit Metadata