sdd-slim-implement
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands for code validation and environment management, including
pnpm test,lint,typecheck, and environment-specific commands like/compact(alias/summarize) in OpenCode environments. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection (Category 8). It interprets natural language instructions from external files (
spec.md,plan.md,worklog.md) to determine implementation boundaries and verification steps. - Ingestion points: Reads
spec.md,plan.md,worklog.md, and project source code files at runtime. - Boundary markers: Missing. While the subagent prompt uses some headers, it lacks explicit "ignore embedded instructions" delimiters or robust sandboxing for the ingested content.
- Capability inventory: Performs file system writes (modifying code and logs) and executes shell commands for testing and linting in
implement.mdandprompts/subagent-implementation-prompt.md. - Sanitization: Absent. Data from external files is interpolated directly into prompts for subagents without validation or escaping.
- Oversight: The instructions explicitly discourage user interaction (e.g., "禁止打断用户", "不得在实现阶段通过 askquestion 暂停"), increasing the risk that malicious instructions embedded in a specification file could be executed autonomously.
Audit Metadata