paseo-epic
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: Direct interpolation of $ARGUMENTS into the system prompt allows for potential direct prompt injection where a user can provide instructions that override the skill's orchestrator logic.\n- [PROMPT_INJECTION]: The skill presents an Indirect Prompt Injection surface where it ingests untrusted data from repository code (Step 1) and conversation history (Step 3). Evidence chain:\n
- Ingestion points: Repo code read in Step 1 and user conversation history captured in Step 3.\n
- Boundary markers: Absent; instructions do not provide delimiters or warnings to ignore instructions embedded in the ingested content.\n
- Capability inventory: File system access (~/.paseo/), network operations (git, gh), and the ability to spawn multiple specialized agents with varying permissions.\n
- Sanitization: Absent; the skill does not mention escaping or validating the content before it is written to the plan as an "immutable" requirement block.\n- [COMMAND_EXECUTION]: The argument is used to generate a for file path construction (~/.paseo/plans/.md). Without strict sanitization, this enables path traversal attacks, potentially allowing the agent to read or write files outside the intended directory.\n- [COMMAND_EXECUTION]: Several shell commands, including git commit and gh pr create, use content derived from the plan file. Since this content is built from untrusted conversation history and code, it creates a vector for command injection if the execution environment does not properly escape these strings.\n- [DATA_EXFILTRATION]: The skill possesses network capabilities via git push and gh commands. While intended for delivery, these tools could be abused to exfiltrate sensitive data from the local environment if an attacker can manipulate the destination branch or repository defined in the plan.
Audit Metadata