design-draft
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a local shell script
./scripts/uxd-approve.zshusing a variable[FEATURE-ID]. If this identifier is derived from untrusted filenames or user input without strict sanitization, it could lead to command injection. - [DATA_EXFILTRATION]: The skill accesses files outside its immediate directory, specifically reading PRDs from
../refinery-pm-os/outputs/prds/approved/. While this appears to be part of a larger workspace architecture, it demonstrates the ability to access and process data from sibling directories. - [INDIRECT_PROMPT_INJECTION]: The skill consumes untrusted data that could influence agent behavior.
- Ingestion points: Reads PRD files from
../refinery-pm-os/outputs/prds/approved/(SKILL.md). - Boundary markers: Absent. The skill does not instruct the agent to ignore or delimit potentially malicious instructions embedded within the PRD content.
- Capability inventory: The skill can execute local shell scripts (
uxd-approve.zsh), write to various output files (HTML, JS, MD), and invoke other sub-skills like/handoffand/generate-screens. - Sanitization: Absent. There is no evidence of validation or escaping for the content extracted from PRDs before it is used to generate documentation or drive the workflow.
- [DYNAMIC_EXECUTION]: The skill modifies an executable JavaScript file
outputs/screens/manifest.jsat runtime to update a preview hub. This dynamic code generation could be exploited if the injected metadata (screen names, descriptions) contains malicious code.
Audit Metadata