skill-implementer
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Unsafe JQ filter interpolation. In stages 2, 7, and 8, the variable '$task_number' is concatenated directly into JQ command strings rather than being passed as a variable (e.g., 'select(.project_number == '$task_number')'). This creates a vulnerability to JQ expression injection, where a non-numeric task identifier could be used to manipulate the state file or leak information from 'specs/state.json'.\n- [PROMPT_INJECTION]: Indirect injection surface via subagent metadata. The skill processes external task data through a subagent.\n
- Ingestion points: Reads metadata from 'specs/${padded_num}_${project_name}/.return-meta.json' in Stage 6.\n
- Boundary markers: None identified for the metadata file content.\n
- Capability inventory: Modifies 'specs/state.json' via JQ, updates 'TODO.md' via Edit tool, and performs 'git commit'.\n
- Sanitization: Uses 'jq --arg' for content fields, but the selector logic remains vulnerable to the interpolation issue mentioned above.\n- [COMMAND_EXECUTION]: Side-effect operations on local repository. The skill performs broad file additions and commits ('git add -A') and executes a project-specific script '.claude/scripts/update-plan-status.sh'.
Audit Metadata