Skills
skills/e0ipso/strikethroo/st-full-workflow/Gen Agent Trust Hub

st-full-workflow

Warn

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes local Node.js scripts that execute shell commands to manage the git environment.
  • The script scripts/create-feature-branch.cjs uses child_process.execSync to run git commands, including checkout -b, branch --list, and status. While the branch names are sanitized, the skill requires full access to the local git CLI.
  • [PROMPT_INJECTION]: The skill's architecture relies on loading and obeying instructions from arbitrary files in the project repository, creating an indirect prompt injection vulnerability.
  • Ingestion points: The agent reads and executes instructions from several files within the project's .ai/strikethroo/ directory, such as config/hooks/PRE_PLAN.md, POST_PLAN.md, PRE_PHASE.md, POST_PHASE.md, PRE_TASK_EXECUTION.md, and POST_EXECUTION.md.
  • Boundary markers: The skill lacks boundary markers or instructions to treat hook content as data; instead, Phase 3 explicitly commands the agent to "Read [hook file] and execute its instructions."
  • Capability inventory: The workflow allows the agent to create git branches, write to the file system, move directories, and dispatch other agents using an internal task tool.
  • Sanitization: There is no validation or sanitization of the content found in these Markdown files before they are interpreted as instructions by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 14, 2026, 02:12 PM
Security Audit — agent-trust-hub — st-full-workflow