workflow-feature-spec
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses highly prescriptive language, including terms like 'Strict execution contract' and 'MANDATORY', to ensure the agent follows its specific protocol over platform-specific instructions. These are functional constraints for the workflow and do not represent a malicious bypass of AI safety guardrails.
- [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface by ingesting and processing project-specific documentation and user-provided prompts to generate feature specifications.
- Ingestion points: The workflow reads project documentation from
docs/project-config.json,docs/project-reference/, anddocs/specs/(e.g., inSKILL.md). - Boundary markers: No explicit delimiters or boundary markers are defined to isolate untrusted external content during processing.
- Capability inventory: The skill possesses the ability to read and write files and is explicitly authorized to invoke the
spawn_agenttool to create sub-agents. - Sanitization: The skill does not describe specific sanitization or filtering protocols for ingested data, although it mandates multiple human-in-the-loop review gates (
$plan-review,$why-review). - [COMMAND_EXECUTION]: The skill defines a sequence of internal tool and skill calls (e.g.,
$scout,$investigate,$project-init) and authorizes the use of thespawn_agentcapability to delegate tasks. These executions are within the scope of its documented purpose as a workflow orchestrator.
Audit Metadata