sdpm-vibe
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests untrusted content from external sources to drive its workflow.
- Ingestion points: External data is ingested via
WebFetch(URLs),import_attachment(uploaded files), and pasted text in Step 1 of the Vibe Workflow. - Boundary markers: The instructions do not specify any delimiters, escaping, or 'ignore instructions' wrappers when interpolating this external content into the
specs/brief.mdandspecs/outline.mdfiles. - Capability inventory: The skill uses
run_pythonto execute code, writes to the local file system, and dispatches multiple sub-agents (sdpm:sdpm-composer) which read the generated spec files. - Sanitization: No explicit sanitization or validation of the ingested content is mentioned before it is processed by the orchestrator or sub-agents.
- [COMMAND_EXECUTION]: The skill utilizes a
run_pythontool to perform file system operations (reading/writing JSON and text) by generating and executing small Python scripts dynamically. - Evidence: Step 3 and Step 4 explicitly instruct the agent to use
run_python(..., code='write_text("specs/brief.md", content)')to persist data. - While the skill documentation claims the environment blocks
open(),import, and network access, the assembly of executable code from untrusted material (if thecontentvariable contains injection) is a potential risk factor.
Audit Metadata