ce-work
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive shell command execution for repository management and quality assurance. It uses git for branch creation, worktree isolation, and merging (e.g., 'git worktree', 'git merge'). It also invokes local project test suites using commands like 'npm test', 'pytest', or 'bin/rails test' to verify code changes.\n- [DATA_EXPOSURE]: The skill accesses repository metadata and configuration files such as 'package.json', 'CLAUDE.md', and 'AGENTS.md' to understand project conventions and identify issue trackers. This access is limited to local project files necessary for its development functions.\n- [PROMPT_INJECTION]: The skill processes untrusted user-supplied data through the '#$ARGUMENTS' tag in 'SKILL.md', which represents an indirect prompt injection surface.\n
- Ingestion points: User-provided plans or work descriptions are ingested into the '<input_document>' block in 'SKILL.md'.\n
- Boundary markers: The skill utilizes XML-style tags ('<input_document>') to delimit the external input from its own instructions.\n
- Capability inventory: The skill has broad capabilities, including the ability to modify any file in the repository, execute shell commands, and spawn subagents with isolated context.\n
- Sanitization: There is no explicit sanitization or 'ignore instructions' warning applied to the ingested content, though the triage phase and task-list review provide an inherent layer of agent-led validation.
Audit Metadata