recipe-fullstack-build
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands via dynamic context injection (e.g.,
! ls -la ...) and standard execution (e.g.,git commit) to manage its workflow. While these commands are currently used for directory listings and version control, they involve direct interaction with the host system's shell environment.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from local markdown files to drive agent behavior.\n - Ingestion points: Reads content from
docs/plans/,docs/plans/tasks/, anddocs/design/directories.\n - Boundary markers: Absent. No specific delimiters or instructions are provided to the sub-agents to ignore or treat the ingested file content as untrusted.\n
- Capability inventory: The orchestrator can invoke powerful sub-agents (via the
Agenttool) to execute code, perform quality checks, and commit changes to the repository.\n - Sanitization: None. The content of the task files is used directly to populate sub-agent prompts.\n
- Risk Factor: The 'autonomous mode' triggered by existing task files reduces human-in-the-loop oversight, increasing the potential impact of instructions embedded within those files if they have been modified by an external process.
Audit Metadata