resolve_todo_parallel
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through external data ingestion from the local environment.
- Ingestion points: The skill reads file contents from the
/todos/*.mddirectory. - Boundary markers: There are no boundary markers or delimiters defined to isolate the untrusted TODO content from the agent's core instructions.
- Capability inventory: The skill can spawn sub-agents (
pr-comment-resolver), modify files, commit changes, and push to remote repositories. - Sanitization: The skill does not perform any sanitization or validation of the todo content before passing it to the implementation phase.
- [COMMAND_EXECUTION]: The skill executes Git operations based on task outcomes.
- Evidence: The workflow includes explicit steps to commit changes and push to a remote repository, which are sensitive operations that could be abused if the input TODO items contain malicious instructions.
Audit Metadata