ai-execute-task
Fail
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to command injection because it constructs shell commands using unvalidated variables. The instruction to run
git -C "$V" commit -m "ai-execute-task: <feature> NN"directly incorporates the<feature>identifier, which is derived from directory names or user input. Shell metacharacters present in these strings could allow an attacker to execute arbitrary commands. - [REMOTE_CODE_EXECUTION]: The skill executes build and test commands (e.g.,
make lint && make test) on the local repository. This grants the build system (such as aMakefile) the ability to execute arbitrary code in the agent's environment, which is a risk when working on untrusted or compromised repositories. - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8). It reads and follows instructions from PRD and technical specification files stored in an Obsidian vault.
- Ingestion points: Technical specs and PRDs in
engineering/<project>/workplans/<feature>/(SKILL.md). - Boundary markers: Absent. Documentation is ingested and followed without delimiters or safety warnings.
- Capability inventory: Bash shell access, file system write access, network access (git push), and Makefile execution.
- Sanitization: Absent. There is no validation or escaping of the content read from the vault documents.
- [DATA_EXFILTRATION]: The skill utilizes the
git pushcommand to sync documentation to a remote vault. This network capability, combined with the lack of sanitization and the command injection vulnerability, creates a pathway for exfiltrating sensitive local data to unauthorized remote servers.
Recommendations
- AI detected serious security threats
Audit Metadata