write-prd
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by interpolating untrusted user data into system-level operations without sufficient isolation or validation.\n
- Ingestion points: Untrusted data enters the agent context through the
$ARGUMENTSvariable (product name or feature) and theAskUserQuestiontool used to define the PRD scope inSKILL.md.\n - Boundary markers: The skill does not employ explicit boundary markers (e.g., XML tags or clear delimiters) or specific instructions to the agent to ignore potential instructions embedded within the user-provided product descriptions.\n
- Capability inventory: The skill possesses significant capabilities across multiple files, including file system operations via
WriteandEdit, shell access viaBash, and structured memory interactions viamcp__memory__search_nodes.\n - Sanitization: User-provided content is directly used to construct file names (e.g.,
PRD-{product-slug}.md) and used as a query string in memory searches ({PRODUCT} PRD requirements) without sanitization or escaping, creating a surface for potential path manipulation or search-based injection.
Audit Metadata