real-work
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates a structural vulnerability for indirect prompt injection by instructing agents to treat a local markdown file (
plans/*.md) as a 'source of truth' for future actions. This allows instructions within the file to influence the behavior of subsequent agent sessions without sufficient boundary markers or sanitization. - Ingestion points: Task state and instructions are read from markdown files in the
plans/directory (SKILL.md). - Boundary markers: The template does not utilize delimiters or specific instructions to ignore embedded prompts within the task descriptions.
- Capability inventory: The skill template explicitly designs a workflow for the agent to execute autonomous shell commands based on content within the 'Verification Plan' section.
- Sanitization: There is no requirement or mechanism for the agent to validate or sanitize the commands or instructions found within the generated plan files.
- [COMMAND_EXECUTION]: The skill instructs the agent to create and later execute 'Verification Plans' consisting of autonomous commands. This feature facilitates shell command execution based on the contents of the plan files, which could lead to unintended command execution if the file content is maliciously crafted.
Audit Metadata