sc-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core workflow of processing external, potentially untrusted documents.
- Ingestion points: The skill explicitly parses PRD files (e.g.,
feature-spec.md,enterprise-prd.md) and feature requirements provided as text. - Boundary markers: There are no defined delimiters or instructions to the agent to disregard instructions embedded within the PRDs being analyzed.
- Capability inventory: The skill utilizes the
mcp__rubetoolset, which has the capability to create Jira issues (JIRA_CREATE_ISSUE), send Slack messages (SLACK_SEND_MESSAGE), and create Notion pages (NOTION_CREATE_PAGE). - Sanitization: There is no evidence of content sanitization or validation logic to ensure that instructions hidden within a PRD do not manipulate the parameters of the tools used (e.g., an attacker adding a task to a Jira backlog via a hidden instruction in a requirement document).
Audit Metadata