dev-lifecycle
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and executes the 'ai-devkit' package from the public NPM registry using
npx. It also orchestrates project-specific dependency installation using standard managers (npm, pip, cargo, etc.) as described in 'references/worktree-setup.md'. These operations target official package registries and are standard for development workflows. - [COMMAND_EXECUTION]: Executes a variety of shell commands to manage the development environment, including Git worktree operations, lockfile detection, and a local bash script ('scripts/check-status.sh') for progress tracking. The bash script includes regex-based validation of feature names to prevent command injection.
- [PROMPT_INJECTION]: The skill is subject to indirect prompt injection (Category 8) because it reads and interprets instructions from user-controlled documentation files in 'docs/ai/'.
- Ingestion points: Reads requirements, design, and planning docs (e.g., 'docs/ai/planning/feature-*.md') to determine next steps.
- Boundary markers: Absent; the agent is directed to follow the contents of these files as an execution plan.
- Capability inventory: Shell execution (npx, git), local script execution, and file system modification.
- Sanitization: While the feature name is validated in scripts, the content of the processed Markdown documents is not sanitized or wrapped in protective delimiters to prevent instruction override.
Audit Metadata