roughcut

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The helper script export.rb uses backticks to execute xmllint for XML validation. The xml_path parameter, which is passed as a command-line argument and can be partially derived from file names, is interpolated directly into the shell command string without sanitization, creating a potential command injection vector.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted plan markdown files.
  • Ingestion points: SKILL.md interpolates the entire content of an external plan markdown file into the sub-agent's prompt using the {paste full plan markdown} template variable.
  • Boundary markers: The template does not use delimiters or include instructions to ignore embedded commands within the plan content.
  • Capability inventory: The sub-agent has capabilities including file system reads, local command execution (cp, grep, date), and running external scripts via bundle exec.
  • Sanitization: No validation or sanitization of the interpolated markdown content is performed.
  • [DATA_EXFILTRATION]: SKILL.md includes logic to copy exported XML files to the ~/Desktop/ directory. Accessing and writing to sensitive user-level directories beyond the project scope increases the risk of data exposure, although it is presented as an optional convenience for the user.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 01:48 PM
Security Audit — agent-trust-hub — roughcut