resolve-todos
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the codebase it analyzes.
- Ingestion points: In SKILL.md, the workflow uses the Grep tool to scan files for TODO, FIXME, and XXX strings.
- Boundary markers: No markers or delimiters are defined to separate the untrusted TODO text from the agent's instructions.
- Capability inventory: The skill and its sub-agents (spawned via the Task tool) have access to Read, Write, Edit, and Bash tools, allowing for significant filesystem and system modification.
- Sanitization: The skill does not perform any sanitization or validation of the text found in TODO comments before passing it to the sub-agent prompts.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to search the codebase and perform Git operations like committing and pushing changes. While standard for this use case, it provides a powerful interface that could be abused if the agent is subverted.
Audit Metadata