dot-ai-prd-close
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill performs direct commits and pushes to the 'main' branch using the '[skip ci]' flag. This combination allows the agent to modify the repository while bypassing Continuous Integration (CI) pipelines, which typically host security scanners and tests. This is a significant bypass of standard repository protection and oversight mechanisms.
- COMMAND_EXECUTION (MEDIUM): The skill constructs several shell commands, including 'gh issue edit', 'gh issue close', and 'git commit', using user-provided inputs like the closure 'reason' and 'PRD number'. If the underlying agent implementation does not properly sanitize these inputs, it creates a risk of command injection.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it reads and processes content from PRD files ('prds/[number]-.md'). An attacker-controlled PRD file could contain malicious instructions designed to manipulate the agent's logic during the archival process. Evidence Chain: 1. Ingestion points: Content of 'prds/[number]-.md' and user-provided arguments. 2. Boundary markers: None identified. 3. Capability inventory: File system moves ('git mv'), GitHub CLI operations ('gh'), and remote repository pushes ('git push'). 4. Sanitization: No explicit sanitization or validation of external content is defined.
Recommendations
- AI detected serious security threats
Audit Metadata