todo-resolve
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes markdown files from the
todos/directory which may contain instructions that override the agent's intended behavior. If these todo files are generated from external inputs like pull request comments or issue trackers, an attacker could inject malicious instructions that the agent would then execute with its code-writing and repository-pushing privileges. - Ingestion points: Scans
.context/compound-engineering/todos/*.mdandtodos/*.mdfor actionable content. - Capability inventory: The skill can spawn parallel sub-agents (
compound-engineering:workflow:pr-comment-resolver), modify the local filesystem, commit changes to git, and push those changes to a remote repository. - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat the content of the todo files as data rather than instructions.
- Sanitization: The skill does not perform any validation or sanitization of the todo content before implementation.
- [COMMAND_EXECUTION]: The skill performs several file system and version control operations that modify the project state.
- It creates and deletes files in a scratch directory located at
.context/compound-engineering/todo-resolve/<run-id>/. - It performs destructive operations by deleting completed or resolved todo files from the repository.
- It executes version control commands to commit changes and push them to a remote server, which could be exploited to exfiltrate modified code if the agent is compromised via injection.
Audit Metadata