prd-discovery
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill has a defined surface for indirect prompt injection by ingesting untrusted local data and using it to generate documentation.
- Ingestion points: Reads local context from
specs/README.md,README.md, and package manifests (SKILL.mdWorkflow Step 2). - Boundary markers: Absent. No delimiters or instructions are provided to the agent to treat local file content as untrusted data.
- Capability inventory: File system write access to create the
.prd/directory and write.mdfiles (SKILL.mdWorkflow Step 5). - Sanitization: Absent. The skill interpolates discovered context directly into the logic of drafting user stories and technical notes.
- Risk: Maliciously crafted project files could contain 'hidden' instructions that trick the agent into drafting specific user stories or technical constraints that favor an attacker (e.g., instructing the agent to suggest a specific insecure dependency).
- Persistence Mechanisms (LOW): The skill creates a local directory
.prdand writes files to it. - Evidence: Step 5 of the workflow explicitly creates a directory and saves state/output to the disk.
- Severity: LOW as this is standard behavior for a PRD generation tool and does not involve auto-executing scripts or system-level persistence.
Audit Metadata