checklist-runner
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to follow instructions embedded within the checklist data it processes, creating a vulnerability to indirect prompt injection.
- Ingestion points: The skill reads Markdown files from
.aiox-core/development/checklists/, documentation fromdocs/stories/, source code files, and git diffs as its primary context. - Boundary markers: There are no markers or delimiters defined to distinguish between data and instructions; the skill explicitly states to "Follow any embedded LLM instructions in the checklist."
- Capability inventory: The skill accesses the local filesystem, including source code, documentation, and potentially sensitive development environment artifacts like test results and git history.
- Sanitization: No sanitization or validation of the checklist content is performed before the agent processes the embedded instructions.
Audit Metadata