workflow-feature-spec

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill uses highly prescriptive language, including terms like 'Strict execution contract' and 'MANDATORY', to ensure the agent follows its specific protocol over platform-specific instructions. These are functional constraints for the workflow and do not represent a malicious bypass of AI safety guardrails.
  • [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by ingesting and processing project-specific documentation and user-provided prompts to generate feature specifications.
  • Ingestion points: The workflow reads project documentation from docs/project-config.json, docs/project-reference/, and docs/specs/ (e.g., in SKILL.md).
  • Boundary markers: No explicit delimiters or boundary markers are defined to isolate untrusted external content during processing.
  • Capability inventory: The skill possesses the ability to read and write files and is explicitly authorized to invoke the spawn_agent tool to create sub-agents.
  • Sanitization: The skill does not describe specific sanitization or filtering protocols for ingested data, although it mandates multiple human-in-the-loop review gates ($plan-review, $why-review).
  • [COMMAND_EXECUTION]: The skill defines a sequence of internal tool and skill calls (e.g., $scout, $investigate, $project-init) and authorizes the use of the spawn_agent capability to delegate tasks. These executions are within the scope of its documented purpose as a workflow orchestrator.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 06:08 PM
Security Audit — agent-trust-hub — workflow-feature-spec