brainstorming
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection because it ingests untrusted data from the local environment during the initial context exploration phase.
- Ingestion points: File
SKILL.md(Step 1: 'Explore project context') instructs the agent to read local files, documentation, and recent commits. - Boundary markers: Absent. There are no explicit instructions or delimiters provided to help the agent distinguish between project data and potentially malicious instructions embedded within those files.
- Capability inventory: The skill has the capability to write to the filesystem (
docs/plans/), execute git commits, and invoke subsequent skills (e.g.,writing-plans). - Sanitization: Absent. No sanitization or validation of the ingested project data is performed before it is used to influence the design process.
- [Data Exposure & Exfiltration] (SAFE): The skill accesses local project data as part of its core functionality, but it does not contain any networking primitives (e.g., curl, fetch) or logic to exfiltrate this information to external domains.
- [Command Execution] (SAFE): The skill performs file writes and git commits. These are performed using standard, predictable paths for documentation purposes and do not involve the execution of arbitrary or obfuscated shell commands.
Audit Metadata