guide-execution
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocessfor system interaction.scripts/manage_execution.pyexecutesgitcommands to infer branch-related IDs and context.lib/workflow_state/parity.pyrunsnpx skills ls -g --jsonto list globally installed skill metadata for environment discovery.\n- [EXTERNAL_DOWNLOADS]: The use ofnpxinlib/workflow_state/parity.pyto execute theskillspackage involves a dependency on the npm registry, which may download and run code at runtime if the package is not cached locally.\n- [REMOTE_CODE_EXECUTION]: Implements dynamic module loading viaimportlib.utilon computed paths.lib/workflow_state/inventory.pyresolves paths to internal scripts (e.g.,manage_proposals.py) and executes them.scripts/manage_execution.pysimilarly loadsscope_runtime.py. This pattern allows for the execution of Python code from paths calculated at runtime.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).\n - Ingestion points: Data is ingested from
.slice-meta.json,registry.json, andslice-traceability.md(markdown tables).\n - Boundary markers: None identified; the skill trusts the structure and metadata of these files to guide its logic without explicit delimiters.\n
- Capability inventory: The skill has the capability to delete directories (
shutil.rmtree), move files (shutil.move), and execute system commands (subprocess.run) based on state transitions derived from input data.\n - Sanitization: Inputs are checked for basic format (e.g.,
SLICE_ID_PATTERN), but the logic lacks robust sanitization against instructions embedded in markdown content that could influence decision-making.
Audit Metadata