implement
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to perform complex git operations such as creating branches, managing worktrees, and merging code. It also runs development workflows using npm, poetry, and docker-compose, and includes a dedicated shell script (scripts/worktree-setup.sh) for environment management.
- [COMMAND_EXECUTION]: It utilizes the CronCreate tool to schedule recurring health checks that execute prompts at specified intervals. This constitutes a persistence mechanism by allowing the agent to perform automated, background actions across sessions.
- [EXTERNAL_DOWNLOADS]: The workflow retrieves external documentation via WebFetch as a fallback mechanism. Furthermore, it triggers package managers like npm and pip which download and install code dependencies from public registries during implementation and build phases.
- [REMOTE_CODE_EXECUTION]: The skill executes code during build, type-checking, and testing phases using runners like npm test and pytest. This involves executing logic that is either generated by subagents or downloaded as external dependencies, potentially running untrusted code if the project context is compromised.
- [PROMPT_INJECTION]: An indirect prompt injection surface exists where user-supplied feature descriptions from arguments are directly interpolated into the instructions for subagents (e.g., backend-system-architect, frontend-ui-developer). The lack of explicit boundary markers or input sanitization could allow malicious input to redirect the subagents' behavior.
Audit Metadata