agent-architect
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is centered around creating a 'Layer 0' enforcement environment by generating and running local shell and Node.js scripts. Evidence: references/enforcement-architecture.md contains full source code for plan-phase.sh, execute-phase.sh, audit-phase.sh, and several .mjs files designed to be executed during the agent's lifecycle.
- [DYNAMIC_EXECUTION]: The 'Bootstrap' mode automates the creation of executable files on the user's filesystem based on templates in the documentation. These scripts are subsequently executed to enforce constraints and manage session state. Evidence: references/enforcement-architecture.md §7 defines the bootstrap process where the agent installs scripts and configuration files.
- [REMOTE_CODE_EXECUTION]: The check-phase-entry.mjs script template uses child_process.execSync to run commands specified in a PHASE_ENTRY_CHECKS dictionary. These commands are derived from planning documents (Tier 3 planning) and represent a command injection risk if the planning data is manipulated or poisoned. Evidence: references/enforcement-architecture.md §9 provides the logic for the entry gate script which executes arbitrary strings as shell commands.
- [PROMPT_INJECTION]: The skill's architecture is susceptible to indirect prompt injection (Category 8). It processes project specifications (docs/SPEC.md) and requirements to generate the 'Phase Entry Checks' and 'Truth Gates' that eventually become executable commands. 1. Ingestion points: docs/SPEC.md, _planning/roadmap.md, and phase-specific README files. 2. Boundary markers: Absent. The skill relies on structured planning but does not implement delimiters to prevent instruction injection within the data files. 3. Capability inventory: High-privilege capabilities including file writes, directory scanning, and arbitrary shell command execution via execSync and shell scripts. 4. Sanitization: No sanitization or validation of the commands defined in PHASE_ENTRY_CHECKS is present in the provided script templates.
Audit Metadata