auto
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an 'auto-approve' mechanism that explicitly instructs the agent to bypass user interaction and proceed with task execution. Combined with the feature that infers the task from conversation context, this creates a vulnerability to indirect prompt injection.
- Ingestion points: Task descriptions are ingested via
$ARGUMENTSor inferred from the conversation context (SKILL.md, 'Input' section). - Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the ingested context.
- Capability inventory: The skill invokes
manifest-dev:do, which performs file modifications and command execution based on the generated manifest (SKILL.md, 'Flow' section). - Sanitization: No sanitization or validation of the inferred task is performed before the manifest is 'auto-approved' and executed.
Audit Metadata