doc-bdd-reviewer
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to maintain a file integrity cache.
- Evidence: The 'Hash Calculation' section explicitly mandates the execution of
sha256sum <file_path> | cut -d' ' -f1. It uses forceful language ('CRITICAL: Execute actual bash commands. DO NOT write placeholder values') to ensure the agent performs the operation. - Risk: If the file path provided in the BDD documentation is maliciously crafted (e.g., containing semicolons or command substitutions), it could lead to arbitrary command execution on the host system.
- [PROMPT_INJECTION]: The instructions use strong override markers to dictate agent behavior regarding system-level operations.
- Evidence: Use of keywords like 'CRITICAL', 'MANDATORY', and 'REJECTED VALUES' to force specific command execution logic and bypass typical AI constraints against running shell commands.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process external BDD and EARS documents, creating a surface for injection.
- Ingestion points: Processes user-provided BDD files (
.feature,.md) and upstream references (@ears:,@ref:). - Boundary markers: None detected. The skill reads raw file content to identify references and calculate hashes.
- Capability inventory: Performs file system reads, writes to a local JSON cache (
.drift_cache.json), and executes subprocesses via bash. - Sanitization: No explicit sanitization or validation of the
<file_path>variable is mentioned before it is passed to the shell command.
Audit Metadata