complete
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads and processes untrusted project files ('PLAN.md', 'WORKLOG.md', and documentation) to drive its finalization logic. It possesses high-impact capabilities including file modification ('Write'/'Edit') and shell access ('Bash') for Git operations. The absence of boundary markers or sanitization means malicious instructions in these files could hijack the agent's behavior during the completion process. * Ingestion points: 'PLAN.md', 'WORKLOG.md', and files in 'spaces/[project]/docs/'. * Boundary markers: Absent. * Capability inventory: 'Bash' (git merge/push), 'Write', 'Edit', 'Task' (launching other agents). * Sanitization: Absent.
- Command Execution (HIGH): The skill uses the 'Bash' tool to execute Git commands incorporating an issue slug. If the slug is sourced from untrusted input (e.g., issue titles or file metadata) without strict validation, it creates a vector for shell command injection (e.g., via backticks or semicolons in a branch name), potentially allowing arbitrary code execution on the runner.
- Remote Code Execution (HIGH): By allowing the execution of shell commands through 'Bash' with inputs sourced from potentially untrusted documentation or task metadata, the skill provides a path for code execution within the agent's execution environment if documentation is manipulated by an external actor.
Recommendations
- AI detected serious security threats
Audit Metadata