start-work
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is subject to potential indirect prompt injection because it performs actions based on instructions found in work plans and user notes.
- Ingestion points: Work plans located in the
.omo/plans/directory and user-provided input during the 'No-plan bootstrap' phase. - Boundary markers: The skill does not currently use specific delimiters or ignore-instructions warnings when processing the contents of work plans.
- Capability inventory: The skill can trigger agent spawns (
multi_agent_v1.spawn_agent), manage file systems (git worktree), and perform network or UI interactions (curl,tmux,chrome). - Sanitization: Input content is not sanitized for instructions, but the skill relies on a multi-gate 'Adversarial Verify' process to confirm the safety and validity of all work performed.
- [COMMAND_EXECUTION]: The skill utilizes several system-level tools to manage the development environment and verify work, including
gitfor worktree management,curlfor network requests, andtmuxorchromefor UI-based QA testing. - [EXTERNAL_DOWNLOADS]: Fetches configuration and guidelines from the Vercel Labs repository for web-based verification tasks.
- [DATA_EXFILTRATION]: Enforces a mandatory secret redaction policy that requires the masking of auth headers, API keys, credentials, and personally identifiable information (PII) before any data is written to the ledger or PR handoffs.
Audit Metadata