sdpm-vibe

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests untrusted content from external sources to drive its workflow.
  • Ingestion points: External data is ingested via WebFetch (URLs), import_attachment (uploaded files), and pasted text in Step 1 of the Vibe Workflow.
  • Boundary markers: The instructions do not specify any delimiters, escaping, or 'ignore instructions' wrappers when interpolating this external content into the specs/brief.md and specs/outline.md files.
  • Capability inventory: The skill uses run_python to execute code, writes to the local file system, and dispatches multiple sub-agents (sdpm:sdpm-composer) which read the generated spec files.
  • Sanitization: No explicit sanitization or validation of the ingested content is mentioned before it is processed by the orchestrator or sub-agents.
  • [COMMAND_EXECUTION]: The skill utilizes a run_python tool to perform file system operations (reading/writing JSON and text) by generating and executing small Python scripts dynamically.
  • Evidence: Step 3 and Step 4 explicitly instruct the agent to use run_python(..., code='write_text("specs/brief.md", content)') to persist data.
  • While the skill documentation claims the environment blocks open(), import, and network access, the assembly of executable code from untrusted material (if the content variable contains injection) is a potential risk factor.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:37 AM
Security Audit — agent-trust-hub — sdpm-vibe