cookoff
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core workflow of processing external documentation.
- Ingestion points: Subagents are instructed to read a design document from
docs/plans/<feature>/design.mdas the primary source for implementation planning in Phase 3. - Boundary markers: The prompt provided to subagents lacks explicit delimiters or "ignore embedded instructions" warnings for the content of the design document.
- Capability inventory: The orchestrated subagents have access to powerful tools including file system modification, plan execution, and shell access for testing (
npm test) and git operations. - Sanitization: No evidence of validation or sanitization of the design document's content is present before it is interpolated into subagent tasks.
- [COMMAND_EXECUTION]: The skill uses automated shell commands to manage implementation environments and verify results.
- Evidence: Phase 2 and 5 use
mkdirandgit branch -Dfor directory and branch lifecycle management. - Evidence: Phase 3 utilizes
git worktree addto create isolated environments for parallel implementations. - Evidence: Phase 4 and 5 perform automated diffing and verification via
diff -r,npm test, andnpm run build.
Audit Metadata