gm
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to ignore standard safety protocols and user oversight. It states that the chain should run to completion 'without re-asking' and 'without permission gates between phases,' effectively overriding the human-in-the-loop safety model for autonomous actions.
- [COMMAND_EXECUTION]: The orchestrator logic implements dynamic tool invocation. It reads a value from a local JSON file (
.gm/exec-spool/out/<N>.json) and uses that variable to immediately execute a new skill via theSkilltool. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to control flow hijacking if the spool directory is compromised.
- Ingestion points: Reads execution state and next steps from
.gm/exec-spool/out/<N>.json. - Boundary markers: Absent. The skill treats the
nextSkillfield from the file as a trusted directive. - Capability inventory: Uses the
Skilltool to invoke other functionalities, along withReadandWriteaccess to the file system. - Sanitization: There is no evidence of validation or sanitization for the
nextSkillstring before it is passed to the tool executor.
Audit Metadata