refine-journey
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to automatically detect build systems and execute build/test commands in Phase 2a and 2b. This involves running code found within the local repository (e.g.,
npm install,cargo build, or project-specific test suites). If the repository or the generated tests contain malicious code, this results in arbitrary command execution on the user's system. - [PROMPT_INJECTION]: This skill is vulnerable to indirect prompt injection. It ingests untrusted data from the 'spec.md' file and generated project artifacts (Phase 1), processes this data to diagnose failures (Phase 4), and then automatically performs 'surgical edits' to the root 'SKILL.md' file (Phase 5).
- Ingestion points: Reads
spec.md(via$ARGUMENTS) and files in thejourneys/directory. - Boundary markers: No delimiters or instructions are used to separate untrusted project data from the agent's core instructions.
- Capability inventory: The agent has the capability to write to the filesystem (modifying
SKILL.mdandjourney-refinement-log.md) and execute shell commands (build and test steps). - Sanitization: There is no validation or sanitization of the content being used to generate the new instructions for
SKILL.md, allowing a malicious spec file to influence the final code of the skill itself.
Audit Metadata