medium-plan
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of the
${ARGUMENTS}variable, which contains the user's feature description. - Ingestion points: The
${ARGUMENTS}placeholder inSKILL.mdaccepts untrusted data from the user. - Boundary markers: The input is delimited by
<feature_description>tags, which provide some separation but can be bypassed by an attacker. - Capability inventory: The skill has access to
Bash,Write,Edit,Read, andGreptools. - Sanitization: There is no evidence of sanitization or validation performed on the feature description before it is used to direct agent tasks.
- [COMMAND_EXECUTION]: The skill explicitly allows the use of the
Bashtool for repository research and context gathering. - Evidence: The
allowed-toolssection in the YAML frontmatter includesBash. - Context: While the tool is used to support the primary purpose of the skill (planning based on repository structure), its combination with untrusted input creates a potential vector for executing unauthorized commands if the agent is not properly constrained.
Audit Metadata