team-startup
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the user to execute
copilot --allow-all --max-autopilot-continues 50. This configuration enables the agent to execute tools without manual confirmation and increases the number of autonomous actions allowed, which can lead to unintended consequences if the agent processes malicious input or encounters unexpected conditions.\n- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by passing unvalidated user input to multiple sub-agents in a coordinated workflow.\n - Ingestion points: Data provided by the user (e.g., project goal and critical flow) is ingested and used to populate tasks for several sub-agents.\n
- Boundary markers: The skill does not use delimiters or isolation techniques when interpolating user data into commands for agents like
@eng-backendand@growth-hacker.\n - Capability inventory: The orchestrating skill has the capability to write files to the repository (
docs/*.md) and command multiple autonomous specialized agents.\n - Sanitization: There is no evidence of input validation, sanitization, or instructions to ignore embedded commands within the user-provided goals.\n- [PROMPT_INJECTION]: The instruction to "concede /allow-all" serves to bypass platform-level safety and authorization constraints, instructing the user to remove oversight mechanisms that are meant to ensure the agent operates within safe boundaries.
Audit Metadata