roughcut
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
export.rbuses backticks to executexmllintfor XML validation. Thexml_pathparameter, which is passed as a command-line argument and can be partially derived from file names, is interpolated directly into the shell command string without sanitization, creating a potential command injection vector. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted plan markdown files.
- Ingestion points:
SKILL.mdinterpolates the entire content of an external plan markdown file into the sub-agent's prompt using the{paste full plan markdown}template variable. - Boundary markers: The template does not use delimiters or include instructions to ignore embedded commands within the plan content.
- Capability inventory: The sub-agent has capabilities including file system reads, local command execution (
cp,grep,date), and running external scripts viabundle exec. - Sanitization: No validation or sanitization of the interpolated markdown content is performed.
- [DATA_EXFILTRATION]:
SKILL.mdincludes logic to copy exported XML files to the~/Desktop/directory. Accessing and writing to sensitive user-level directories beyond the project scope increases the risk of data exposure, although it is presented as an optional convenience for the user.
Audit Metadata