gadd-approve
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes user-provided markdown artifacts (PRDs, SDDs, and Plans) to automate approvals.
- Ingestion points: Reads ledger.yml and artifact files (PRD, SDD, and plan body content) located within the repository.
- Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing artifact content.
- Capability inventory: The skill can write to local files (ledger.yml, artifact frontmatter) and interact with the GitHub API to create or update issues.
- Sanitization: While the skill uses templates for GitHub issue creation (e.g., gadd/templates/issue-body-prd.md), it interpolates content from the analyzed artifacts into these templates without explicit sanitization.
- [SAFE]: The skill interacts with GitHub for issue management, which is a well-known service and consistent with the skill's stated purpose of tracking work items.
- [SAFE]: File system operations are limited to project-specific files (ledger.yml, design documents) and do not involve sensitive system directories or credentials.
Audit Metadata