investigate
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection through the ingestion of untrusted data.
- Ingestion points: The skill collects data from the local environment, including codebase files, error logs, and stack traces via the Read, Grep, and Glob tools in phases/01-root-cause-investigation.md and phases/02-pattern-analysis.md.
- Boundary markers: Collected evidence is interpolated into instructions for the ccw cli tool (e.g., in Phase 1, Step 4) without using distinct delimiters or 'ignore instructions' directives to isolate untrusted content from the agent's instructions.
- Capability inventory: The skill possesses high-privilege capabilities including arbitrary shell command execution (Bash) and file system modification (Edit, Write), which are used in phases/04-implementation.md and phases/05-verification-report.md.
- Sanitization: No mechanisms are in place to sanitize or validate the content of error messages or source files before they are processed by the reasoning engine or the CLI tool.
- [COMMAND_EXECUTION]: The skill executes dynamic shell commands for bug reproduction in phases/01-root-cause-investigation.md and runs automated test suites (e.g., npm test, pytest) in phases/05-verification-report.md. While these are necessary for debugging, they represent a vector for executing malicious commands if the reproduction steps or project configuration are sourced from untrusted or compromised data.
Audit Metadata