do-execute-qa
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is instructed to terminate running processes using the
kill <pid>command after identifying them vialsoforpgrep. While intended to ensure a clean testing environment, this allows the agent to stop arbitrary processes matching its search patterns without user confirmation. - [COMMAND_EXECUTION]: The skill executes package manager commands such as
npm run dev,bun dev, orpnpm dev. These commands execute scripts defined in the localpackage.jsonfile, which could result in the execution of arbitrary code if those scripts are malicious. - [COMMAND_EXECUTION]: The skill resolves and loads instruction files from dynamically computed paths (e.g.,
.claude/skills/do-shared/do-mcp-discovery-instructions.md) based on the detected AI environment. This dynamic loading behavior increases the complexity of the execution chain. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design, as its core logic involves reading and following functional requirements from external project files (PRDs and TechSpecs).
- Ingestion points: Files located at
./prds/prd-[feature-slug]/prd.md,./prds/prd-[feature-slug]/techspec.md, and./prds/prd-[feature-slug]/tasks/tasks.mdare read and parsed to create verification checklists. - Boundary markers: Absent. There are no instructions or delimiters used to prevent the agent from obeying malicious commands embedded within the documentation files.
- Capability inventory: The skill has access to shell execution (
bash), file system modification (mkdir,write), and browser automation via MCP tools. - Sanitization: Absent. Data from external files is used directly to determine the agent's testing flow and success criteria.
- [PROMPT_INJECTION]: The 'Autonomous Execution Policy' explicitly instructs the agent to never pause or wait for user input, even for intermediate results or potentially dangerous actions. This removes the 'human-in-the-loop' safety mechanism for the command execution and process management tasks described above.
Audit Metadata