ai-execute-task

Fail

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is vulnerable to command injection because it constructs shell commands using unvalidated variables. The instruction to run git -C "$V" commit -m "ai-execute-task: <feature> NN" directly incorporates the <feature> identifier, which is derived from directory names or user input. Shell metacharacters present in these strings could allow an attacker to execute arbitrary commands.
  • [REMOTE_CODE_EXECUTION]: The skill executes build and test commands (e.g., make lint && make test) on the local repository. This grants the build system (such as a Makefile) the ability to execute arbitrary code in the agent's environment, which is a risk when working on untrusted or compromised repositories.
  • [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8). It reads and follows instructions from PRD and technical specification files stored in an Obsidian vault.
  • Ingestion points: Technical specs and PRDs in engineering/<project>/workplans/<feature>/ (SKILL.md).
  • Boundary markers: Absent. Documentation is ingested and followed without delimiters or safety warnings.
  • Capability inventory: Bash shell access, file system write access, network access (git push), and Makefile execution.
  • Sanitization: Absent. There is no validation or escaping of the content read from the vault documents.
  • [DATA_EXFILTRATION]: The skill utilizes the git push command to sync documentation to a remote vault. This network capability, combined with the lack of sanitization and the command injection vulnerability, creates a pathway for exfiltrating sensitive local data to unauthorized remote servers.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 7, 2026, 02:45 PM
Security Audit — agent-trust-hub — ai-execute-task