dev
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs bash commands using heredocs (
<<'EOF') to pass requirements and feature names to thecodeagent-wrapperutility. If a user provides an input containing the stringEOF, they can terminate the heredoc prematurely and execute arbitrary shell commands on the host system. - [PROMPT_INJECTION]: The skill's instructions include 'CRITICAL CONSTRAINTS' that explicitly claim to 'override all other instructions' and hold 'HIGHEST PRIORITY'. This pattern is a form of internal prompt injection used to bypass standard operational guidelines in favor of the skill's specific logic.
- [REMOTE_CODE_EXECUTION]: The skill relies on a non-standard external utility called
codeagent-wrapperfor all code modifications. This utility serves as a proxy for remote execution across various LLM backends, but its source and safety cannot be verified within the skill context, representing an unverified dependency. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its automated workflow.
- Ingestion points: User requirements are collected via
AskUserQuestioninSKILL.md(Step 1). - Boundary markers: None present; user inputs are directly interpolated into bash commands and markdown templates.
- Capability inventory: The agent has access to the
Bashtool for command execution, theWritetool for file modification, and thecodeagent-wrapperfor parallel code execution. - Sanitization: No input validation or escaping is performed on requirements before they are used by the
dev-plan-generatoragent to create 'Test Commands' in thedev-plan.mdfile, which are subsequently executed in Step 4.
Audit Metadata