dev-kit-work
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection via the ticket files it processes.
- Evidence: The workflow involves loading and parsing tickets from
.dev-kit/tickets/and implementing all acceptance criteria autonomously. - Ingestion Points: Files within
.dev-kit/tickets/and theticketinput parameter. - Boundary Markers: Absent. There are no delimiters or instructions to treat ticket content as untrusted data.
- Capability Inventory: The skill is authorized to "Create, modify, or delete files as needed" and "Run tests to ensure implementation works."
- Sanitization: Absent. The agent is explicitly told to "Implement all acceptance criteria autonomously."
- [COMMAND_EXECUTION] (HIGH): The skill has broad, autonomous authority to modify the system environment.
- Evidence: Instructions include "Create, modify, or delete files as needed" and the execution of tests. This capability, when combined with the lack of input sanitization from the ticket files, allows an attacker to execute arbitrary commands by embedding them in the 'Acceptance Criteria' or 'User Story' of a ticket.
Recommendations
- AI detected serious security threats
Audit Metadata