start-work
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill's primary function is to execute instructions from plan files located in the
.omo/plans/directory. This creates a surface for indirect prompt injection where a malicious plan could hijack the agent's behavior. - Ingestion points: Work plans (markdown) stored in
.omo/plans/. - Boundary markers: No isolation markers are present to prevent the agent from treating data in the plan as direct instructions.
- Capability inventory: The skill can spawn subagents, execute shell commands (git, verification steps), write to the local filesystem, and potentially perform network operations (HTTP calls).
- Sanitization: No sanitization or verification of the plan content is performed before execution.
- [COMMAND_EXECUTION]: The skill performs shell command execution for git worktree management and for running verification scripts defined within the work plans. If these plan files originate from an untrusted source, they could contain malicious commands.
Audit Metadata