todo-resolve
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to perform file system operations, specifically deleting resolved todo files and managing a scratch directory at
.context/compound-engineering/todo-resolve/. - [DATA_EXFILTRATION]: The skill performs Git operations, including pushing committed changes to a remote repository. This is an intended function of the skill's workflow to synchronize resolved todos with a remote origin.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes the content of external markdown files (
todos/*.md). - Ingestion points: The agent scans files in
.context/compound-engineering/todos/*.mdand legacytodos/*.mdfor instructions. - Boundary markers: No specific delimiters or safety warnings are used to wrap the todo content, although the skill logic partitions files by status and only resolves those marked as
ready. - Capability inventory: The skill possesses the ability to spawn sub-agents (
compound-engineering:workflow:pr-comment-resolver), modify the file system, and push updates to remote Git repositories. - Sanitization: No explicit sanitization or validation of the todo file content is performed before passing tasks to sub-agents.
Audit Metadata