skf-forger
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests and processes data from external files to determine agent state and behavior.\n
- Ingestion points: The agent reads configuration from
{project-root}/_bmad/skf/config.yaml, preferences from{sidecar_path}/preferences.yaml, and knowledge content from fragment files referenced inskf-knowledge-index.csv.\n - Boundary markers: There are no explicit delimiters or instructions provided to the LLM to ignore or separate instructions potentially embedded in these external files.\n
- Capability inventory: The agent can invoke various other skills (e.g.,
skf-setup,skf-create-skill,skf-analyze-source) that perform filesystem and repository operations.\n - Sanitization: No sanitization or validation of the content read from external files is described before it is interpolated into the agent context.\n- [COMMAND_EXECUTION]: The skill implements a 'Pipeline Mode' that dynamically parses and executes a sequence of other tools based on user input.\n
- Evidence: The skill processes user strings containing multiple workflow codes (e.g.,
BS CS TS EX) or aliases (e.g.,forge,onboard) to dynamically sequence the invocation of registered agent capabilities.
Audit Metadata