cc-new-feature
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes a 'Process Sovereignty Declaration' (流程主权声明) that explicitly instructs the agent to ignore or bypass specific external skills (e.g., superpowers:brainstorming, superpowers:writing-plans) during its execution. It attempts to establish a self-defined priority rule to override the agent's default tool/skill selection behavior.
- [COMMAND_EXECUTION]: The instructions and the default prompt in the agent configuration explicitly mandate the execution of shell commands, specifically
mkdir -p .codex/tasks/archived, to initialize the project environment. It also instructs the agent to move files within the directory structure. - [DATA_EXPOSURE_&_EXFILTRATION]: The skill manages state through the local file system, specifically targeting
.codex/tasks/within the project root and falling back to~/.codex/tasks/. While this is intended for task tracking, it involves reading and writing files in user-accessible paths. - [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect injection as it reads existing task files from the
.codex/tasks/directory to resume work. - Ingestion points: Reads task files from
.codex/tasks/(SKILL.md, agents/openai.yaml). - Boundary markers: None identified; the skill does not specify delimiters to separate task file content from instructions.
- Capability inventory: File system writes (
templates/task.md), directory creation (mkdir), and file movement (mv). - Sanitization: No explicit sanitization or validation of the content read from task files is described.
Audit Metadata