file-todos
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several shell commands (e.g.,
grep,awk,ls,mv,cp) to manage files within thetodos/directory. While these are standard operations, they rely on variables like{description}and{NEXT_ID}derived from file content or naming conventions, which could present a command injection surface if the agent does not properly sanitize these inputs before execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it requires the agent to read and process the contents of markdown files in the
todos/directory. If these files are created from untrusted external sources (such as pull request comments or automated feedback), they could contain hidden instructions intended to divert the agent from its intended workflow during triage or management tasks. - Ingestion points: Files located in
todos/*.mdare read and interpreted by the agent during the triage and update workflows. - Boundary markers: The skill defines a structured template with YAML frontmatter and specific markdown headers, but it lacks explicit instructions or markers to prevent the agent from following instructions embedded within the data sections.
- Capability inventory: The agent has the capability to perform file system manipulations (
mv,cp) and search operations based on the data it processes from these files. - Sanitization: There are no verification or sanitization steps mentioned to validate the content of the todo files before the agent acts upon them.
Audit Metadata