feature-implement
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions to 'Ignore Claude-specific mode-switch instructions' and 'Ignore previous instructions' (referenced in the Codex compatibility notes). These directives are used to override default model behavior and ensure the agent adheres strictly to the skill's defined implementation protocol.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill facilitates a complex data-to-code pipeline.
- Ingestion points: User input is ingested via
$ARGUMENTSinSKILL.md, and numerous project files are read, includingdocs/project-config.json, Feature Specs indocs/specs/, and the project reference catalog indocs/project-reference/*. - Boundary markers: The skill lacks technical boundary markers or isolation tags for ingested content. It relies on the 'Goal Contract' and 'Success Criteria' to anchor behavior, but these do not provide a secure boundary against instructions embedded in user input or project docs.
- Capability inventory: The skill has significant capabilities in
SKILL.md, including writing to the filesystem (e.g.,plans/,.ai/workspace/analysis/) and executing local Python scripts (.claude/scripts/code_graph). - Sanitization: No explicit sanitization or filtering of external input is implemented in the protocol.
- [COMMAND_EXECUTION]: The skill mandates the execution of local Python scripts located at
.claude/scripts/code_graphto perform codebase analysis, trace dependency chains, and verify implementation blast radius. These commands are executed via the shell within the local development environment.
Audit Metadata