feature-implement

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains instructions to 'Ignore Claude-specific mode-switch instructions' and 'Ignore previous instructions' (referenced in the Codex compatibility notes). These directives are used to override default model behavior and ensure the agent adheres strictly to the skill's defined implementation protocol.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill facilitates a complex data-to-code pipeline.
  • Ingestion points: User input is ingested via $ARGUMENTS in SKILL.md, and numerous project files are read, including docs/project-config.json, Feature Specs in docs/specs/, and the project reference catalog in docs/project-reference/*.
  • Boundary markers: The skill lacks technical boundary markers or isolation tags for ingested content. It relies on the 'Goal Contract' and 'Success Criteria' to anchor behavior, but these do not provide a secure boundary against instructions embedded in user input or project docs.
  • Capability inventory: The skill has significant capabilities in SKILL.md, including writing to the filesystem (e.g., plans/, .ai/workspace/analysis/) and executing local Python scripts (.claude/scripts/code_graph).
  • Sanitization: No explicit sanitization or filtering of external input is implemented in the protocol.
  • [COMMAND_EXECUTION]: The skill mandates the execution of local Python scripts located at .claude/scripts/code_graph to perform codebase analysis, trace dependency chains, and verify implementation blast radius. These commands are executed via the shell within the local development environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 06:07 PM
Security Audit — agent-trust-hub — feature-implement