seeding-playbooks
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of local shell execution via the
bunruntime and thereleasesCLI. It executes commands to list organizations (admin org list), fetch source metadata, and save generated notes. These operations are core to the skill's purpose as an administrative automation tool. - [DATA_EXFILTRATION]: The skill accesses local organizational data, including source URLs, product slugs, and fetch logs. This data is read into the agent's context to facilitate the analysis and generation of playbook instructions. No external exfiltration to non-vendor domains was detected.
- [PROMPT_INJECTION]: There is an attack surface for indirect prompt injection. The skill interpolates data retrieved from local commands (such as organization names, product lists, and source metadata) directly into prompts dispatched to sub-agents. While this could allow malicious data within those fields to influence agent behavior, the impact is localized to the developer's execution environment and follows the intended agentic workflow pattern.
- Ingestion points: Data enters the context from
bun src/index.ts admin org listandadmin org getcommands. - Boundary markers: Absent; interpolated data is placed directly into text sections within the prompt templates.
- Capability inventory: Sub-agents have the capability to execute shell commands (specifically the
releasesCLI) as instructed by the parent agent. - Sanitization: No explicit sanitization or escaping of the interpolated metadata is performed before prompt construction.
Audit Metadata