architect
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection. It ingests requirements from an external file (
project.vision-analysis.md) and uses them to determine which technology stacks to research and select. An attacker influencing that file could manipulate the agent's research phase or force the selection of malicious dependencies. - Ingestion Point:
project.vision-analysis.mdmentioned in 'The Job' and Step 1 of Research Process. - Boundary Markers: Absent. There are no instructions for the agent to distinguish between system requirements and potentially malicious instructions embedded in the vision file.
- Capability Inventory: Includes execution of shell commands (
curl,npm,cargo,gh) and file writing (project.architecture.md). - Sanitization: None provided. The instructions do not specify validation for package names or requirement strings before they are used in research commands.
- [COMMAND_EXECUTION] (LOW): The skill specifies the use of
curl,npm, andghto fetch version information. While these tools target trusted external sources (crates.io, npmjs.com, github.com), which mitigates the risk per [TRUST-SCOPE-RULE], the actual package names used in the commands are dynamically determined from untrusted input, creating a potential vector for command injection if the agent is not inherently cautious. - [INFO] (LOW): Automated scanner alerts regarding 'main.rs' as a malicious URL appear to be false positives caused by the '.rs' (Serbia) top-level domain being misidentified as a suspicious link when it is actually a standard Rust source file extension.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata