plan
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using user-provided data in Step 0, where it runs
ao beads verifyon an input string. Although the input is validated with a regular expression (^[a-z]{2,6}-[0-9a-z.]+$), this remains a pattern of executing commands derived from external sources.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) by processing untrusted research data and user goals to generate implementation plans.\n - Ingestion points: User-provided goal input and research files in the
.agents/research/directory.\n - Boundary markers: The skill lacks explicit delimiters or instructions to isolate its internal logic from ingested research content.\n
- Capability inventory: The skill uses
TaskCreatefor issue creation,Taskfor sub-agent dispatch, and direct filesystem writes in the.agents/plans/directory.\n - Sanitization: No sanitization is performed on generated
check_commandcontent in acceptance criteria blocks derived from user-provided goals.\n- [PROMPT_INJECTION]: Step 3 of the workflow interpolates the user goal directly into the instructions for an 'Explore' sub-agent, creating a vector for direct prompt injection.
Audit Metadata