programming-pm
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool extensively to orchestrate project phases, running local scripts and external tools such as git, ruff, mypy, and pytest for code validation and integration.
- [PROMPT_INJECTION]: The workflow is vulnerable to indirect prompt injection in Phase 6. It parses a list of changed files from an agent-generated handoff file (phase5-review-handoff.yaml) and executes 'git add' on those paths.
- Ingestion points: Path strings extracted from the 'handoff.changes.files_changed' list in the review handoff file.
- Boundary markers: No delimiters or safety instructions are used for these data fields.
- Capability inventory: Execution of Git commands (add, commit) using the ingested paths.
- Sanitization: The skill only verifies file existence via the '-f' operator and fails to validate that paths are restricted to the project root, potentially allowing an adversarial agent to stage sensitive system or configuration files for a commit.
- [DATA_EXFILTRATION]: The skill includes a hardcoded absolute path to a local synchronization tool (/Users/davidangelesalbores/repos/claude/sync-config.py), which exposes the author's local directory structure and indicates a dependency on a tool outside the standard skill distribution.
Audit Metadata