close-slice
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/close_slice.pyusesimportlib.utilto dynamically load and execute a module from a path computed at runtime (../../guide-execution/scripts/manage_execution.py). This technique allows the skill to execute code that is not part of its own distribution, which can be risky if the target script or the path can be manipulated by an attacker.\n- [PROMPT_INJECTION]: The skill implements a workflow that parses content from various markdown files (brief.md,blueprint.md,slices.md) and incorporates this data into a history document (docs/spec-history.md). This creates an indirect prompt injection surface where malicious instructions in those files could be executed by an agent reading the history log.\n - Ingestion points: The
extract_verification_summaryfunction inscripts/close_slice.pyreads content frombrief.md,blueprint.md, andslices.md.\n - Boundary markers: While the output uses markers like
<!-- spec-publish:{slice_id}:start -->to delimit entries, the ingested text itself is not enclosed in protective delimiters or accompanied by warnings for the agent to ignore embedded instructions.\n - Capability inventory: The skill possesses file system access (read/write) and the ability to execute code via dynamic imports.\n
- Sanitization: The script does not perform sanitization, escaping, or validation of the text extracted from the markdown artifacts before rendering it into the summary report.
Audit Metadata