Skills
skills/udecode/plate/ce-work-beta/Gen Agent Trust Hub

ce-work-beta

Pass

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted input documents that the agent is instructed to treat as decision artifacts.
  • Ingestion points: The skill ingests work plans, specifications, or todo files via the #$ARGUMENTS parameter in SKILL.md.
  • Boundary markers: The input is wrapped in <input_document> tags; however, the instructions command the agent to "read the work document completely" and "treat the plan as a decision artifact," which may lead to the agent following malicious instructions embedded within the plan.
  • Capability inventory: The skill has access to shell execution (bash), Git operations (git checkout, git commit, git push), browser automation (agent-browser), and network uploads (imgup).
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the content within the input document before it is processed by the agent.
  • [DATA_EXFILTRATION]: The skill facilitates the upload of screenshots to third-party public hosting services, which could be exploited to exfiltrate sensitive information if the agent is directed to capture sensitive data.
  • Evidence: Phase 4, Step 2 instructs the agent to use the imgup skill to upload screenshots to services like pixhost, catbox, imagebin, and beeimg for inclusion in Pull Request descriptions.
  • [COMMAND_EXECUTION]: The skill executes various shell commands to manage the development environment and run project-specific tools.
  • Evidence: Phase 1 and Phase 2 include shell scripts for branch management (git branch, git checkout), and instructions to run arbitrary test and linting commands (bin/rails test, npm test, pytest) based on the project's configuration.
  • [REMOTE_CODE_EXECUTION]: The skill includes an "External Delegate Mode" that passes implementation tasks to an external CLI tool.
  • Evidence: The "External Delegate Mode" section describes building a prompt from the implementation plan and piping it into the Codex CLI via stdin. This delegates code generation and implementation to an external process using potentially untrusted input from the plan.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 27, 2026, 05:25 PM