story-done
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to automatically run tests identified within story files. Specifically, in Phase 3, it searches for test file paths and executes them. This is dangerous as there is no validation to ensure these paths or the files they point to are safe, allowing for potential command injection via the story file content. - [REMOTE_CODE_EXECUTION]: The execution of arbitrary scripts provided by external markdown files (stories) constitutes a remote code execution vector if an attacker can influence the content of the story files being reviewed.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to the way it processes external data.
- Ingestion points: In Phase 2, the skill reads story files, GDD requirements, ADRs, and the
tr-registry.yamlfile directly into its context. - Boundary markers: The instructions do not specify any delimiters or safety markers to differentiate between trusted system instructions and untrusted content from the files.
- Capability inventory: The skill has access to powerful tools including
Bash(shell execution),Edit(file system modification), andTask(triggering other agent tasks). - Sanitization: There is no evidence of sanitization, escaping, or validation of the data extracted from story files before it is used in subsequent phases, particularly during shell execution in Phase 3.
Audit Metadata