Empirical Validation
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it instructs the agent to ingest and act upon data from untrusted external sources.
- Ingestion points: Terminal output captured via
run_command(e.g., API responses, build logs) and visual/textual data from thebrowser_subagent(e.g., web page content). - Boundary markers: The validation protocol does not specify the use of delimiters or 'ignore' instructions to prevent the agent from obeying malicious commands embedded in the evidence it captures.
- Capability inventory: The agent has access to
run_commandfor shell execution, file system modification capabilities (writing to.gsd/JOURNAL.mdand.gsd/STATE.md), and web browsing viabrowser_subagent. - Sanitization: There are no requirements to sanitize, filter, or validate the content of verification evidence before it is integrated into the agent's context or persistent logs.
- [COMMAND_EXECUTION]: The skill documentation explicitly directs the agent to use
run_commandfor critical validation steps, including build processes (npm run build), API testing (curl), and file system verification. While these are intended for legitimate quality assurance, they represent a high-privilege capability that could be abused if the agent is influenced by malicious data.
Audit Metadata