workflows-plan
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands (
gh issue create,linear issue create,open,cat) with variables derived from user-provided feature descriptions and titles. While filenames undergo kebab-casing, the title string is directly interpolated into CLI arguments (--title "<title>"). If a user provides a title containing shell metacharacters or command substitution patterns (e.g.,$(...)), it could lead to unintended command execution depending on the agent's shell environment. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It ingests untrusted data from the
feature_descriptionargument and from the content of existing brainstorm files (docs/brainstorms/*.md). This data is then used to guide the behavior of multiple research agents and the plan generation process. - Ingestion points:
feature_descriptionargument; content of local markdown files indocs/brainstorms/. - Boundary markers: The
feature_descriptionis wrapped in XML-like tags, but the content from brainstorm files is read and processed without explicit boundary isolation. - Capability inventory: The skill can execute shell commands (
ls,mkdir,gh,linear,open,cat) and trigger other specialized research agents. - Sanitization: There is no evidence of sanitization for the content of the description or title before it is passed to research tasks or used in GitHub/Linear CLI commands beyond basic filename formatting.
Audit Metadata