task-think
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill demonstrates a clear vulnerability surface for Indirect Prompt Injection (Category 8).
- Ingestion points: User-provided task descriptions, constraints, and textual summaries of screenshots are written to
.ai/<project-name>/about.mdand.ai/<project-name>/<letter>/context.md(SKILL.md). - Boundary markers: The skill lacks explicit boundary markers or instructions to isolate or ignore embedded instructions within these artifact files (SKILL.md).
- Capability inventory: The skill uses
codex execto run child sessions and executes build/test commands, which could be hijacked by instructions embedded in the ingested data (SKILL.md). - Sanitization: There is no evidence of sanitization, escaping, or validation of user-controlled content before it is stored in files consumed by automated implementation agents (SKILL.md).
- [COMMAND_EXECUTION] (LOW): The skill is designed to execute child sessions and system commands (build/test) based on generated plans. While this is a high-privilege activity, it is the primary purpose of the skill and no specific malicious command patterns (e.g., remote script piping) were identified. The risk is downgraded due to alignment with the intended primary skill purpose.
- [DATA_EXFILTRATION] (SAFE): Although the skill gathers context from the codebase, there is no evidence of network exfiltration or communication with non-whitelisted domains.
Audit Metadata