pre-mortem
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Command injection vulnerability identified in the instructions for using the
aotool. The skill provides shell command templates, such asao lookup --query "<plan goal or title>"andao search "plan validation lessons <goal>", which directly interpolate plan metadata. An adversary could exploit this by crafting a plan with a malicious title containing shell metacharacters to execute unauthorized commands in the agent's environment.\n- [COMMAND_EXECUTION]: The skill executes a local hook script,hooks/finding-compiler.sh, if present in the workspace. This behavior allows for the execution of arbitrary code if an attacker can manipulate the workspace to include a malicious script.\n- [PROMPT_INJECTION]: Risk of indirect prompt injection as the skill processes untrusted plan and specification files (PLAN.md,SPEC.md) via LLM-based judges (/council). The lack of sanitization or robust boundary markers means adversarial content within the plans could manipulate the judges' logic.\n - Ingestion points: External plan and specification files, and
PRODUCT.md.\n - Boundary markers: Not specified for plan/spec content processing.\n
- Capability inventory: Shell command execution (
aoCLI), file system writes (.agents/council/,.agents/findings/registry.jsonl), and cross-agent delegation.\n - Sanitization: No evidence of input validation or escaping for the ingested content.
Recommendations
- AI detected serious security threats
Audit Metadata