gsd-new-milestone
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes user-controlled content from
.planning/PROJECT.mdto drive the milestone creation workflow. - Ingestion points:
.planning/PROJECT.mdis read to gather historical project context and current state. - Boundary markers: The skill does not define explicit delimiters or instructions to the agent to isolate project data from system instructions.
- Capability inventory: The skill has access to Read, Write, Bash, and Task tools, allowing for significant system interaction.
- Sanitization: There is no evidence of validation or sanitization of the content read from the project files before it is used to influence the workflow.
- [COMMAND_EXECUTION]: The skill explicitly requests the
Bashtool. While no specific dangerous commands are hardcoded in the skill definition, this capability increases the potential impact if the agent is manipulated via indirect prompt injection from the project files it processes.
Audit Metadata