WorldThreatModelHarness
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through its core workflows.
- Ingestion points: Untrusted data enters the agent context via user-provided ideas in
Workflows/TestIdea.mdand web research results fetched by the 'Research' skill inWorkflows/UpdateModels.md. - Boundary markers: The workflow instructions lack explicit delimiters or safety instructions to prevent the agent from obeying instructions embedded within the processed research or user input.
- Capability inventory: The skill possesses capabilities including local filesystem access (~/.opencode/), shell command execution (curl), and the ability to spawn parallel background agents.
- Sanitization: No sanitization or validation logic is implemented to filter or escape the external content before it is interpolated into agent prompts.
- [COMMAND_EXECUTION]: All workflows (
TestIdea.md,UpdateModels.md,ViewModels.md) execute shell commands usingcurlto send POST requests to a local notification service athttp://localhost:8888/notify. While restricted to localhost and using structured JSON payloads, this constitutes active subprocess execution within the skill's operational flow.
Audit Metadata