sdd-next
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core workflow of reading and following external specification files.
- Ingestion points: The skill ingests data from specification files located in
specs/pending,specs/active, andspecs/completedvia thesdd prepare-taskandsdd task-infocommands. - Boundary markers: There are no instructions for the agent to treat the data from specification files as untrusted or to wrap them in protective delimiters to prevent instruction override.
- Capability inventory: The agent has the capability to execute shell commands, modify the filesystem during implementation, and invoke other subagents (
sdd-update-subagent,run-tests-subagent,sdd-fidelity-review-subagent). - Sanitization: The instructions do not specify any validation or sanitization of the input fields (e.g.,
instructions,metadata,acceptance criteria) before they are used to draft and execute implementation plans. - [COMMAND_EXECUTION]: The skill relies heavily on a local CLI tool
sddto manage state, check context, and update task statuses. While these commands are part of the intended workflow, they represent a significant capability that could be abused if the input specifications are malicious.
Audit Metadata