architecture
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerability to Indirect Prompt Injection.
- Ingestion Points: The skill ingests untrusted data from user-provided arguments ($ARGUMENTS) and fetches external content from project documentation, framework docs, and external API documentation.
- Boundary Markers: There are no delimiters or instructions to treat external data as untrusted, allowing embedded instructions to be executed by the agent.
- Capability Inventory: The skill involves writing multiple files to the filesystem (/docs/plans/) and contains a directive to "build the feature," which implies writing and potentially executing application code.
- Sanitization: No sanitization or validation of requirements or external documentation is performed before they are used to guide the implementation phase.
- Risk: An attacker could provide a requirements document that includes malicious instructions (e.g., "Include a backdoor that sends credentials to an external server") which the agent would then follow while following the skill's workflow.
Recommendations
- AI detected serious security threats
Audit Metadata