report-artifacts
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [DYNAMIC_EXECUTION]: The skill dynamically loads and executes Python modules from the local file system in
lib/workflow_state/inventory.py. - It uses
importlib.util.spec_from_file_locationandspec.loader.exec_moduleto load scripts such asmanage_proposals.py,manage_planning.py, andmanage_execution.py. - The paths to these scripts are determined at runtime by searching for a specific repository layout on the file system via
_resolve_runtime_roots(). - [COMMAND_EXECUTION]: The parity checking logic in
lib/workflow_state/parity.pyexecutes shell commands viasubprocess.run. - Specifically, it runs
npx skills ls -g --jsonto retrieve a list of installed skills and their paths. This information is then used to perform file comparisons between the repository and the installed environment. - [INDIRECT_PROMPT_INJECTION]: The skill has an extensive data ingestion surface (Category 8) as it reads and parses JSON and Markdown files from the repository to generate reports.
- Ingestion points: Files like
registry.json,README.md, andslice-traceability.mdacross multiple directories (docs/proposals,docs/features,slices). - Boundary markers: None identified in the source files to separate data from instructions during parsing.
- Capability inventory: The skill has the capability to execute sub-processes (
parity.py) and perform dynamic module loading (inventory.py). - Sanitization: The skill performs JSON decoding and regex-based table parsing but does not explicitly sanitize the content for downstream LLM consumption, which could lead to indirect prompt injection if the metadata or markdown files are manipulated.
Audit Metadata