review-recent-work
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and executes instructions found in repository data files.
- Ingestion points: Reads ExecPlan markdown files from
.agent/done/or user-specified paths (SKILL.md). - Boundary markers: Absent. There are no instructions to sanitize or ignore malicious content within the verification command blocks of the plan.
- Capability inventory: The skill is capable of executing arbitrary shell commands through the 'verification commands' step and performing file system writes to fix bugs.
- Sanitization: Absent. The skill does not validate the safety of the verification commands extracted from the ExecPlan before execution.
- [COMMAND_EXECUTION]: The workflow explicitly directs the agent to execute shell commands sourced from external files.
- Evidence: In SKILL.md, the agent is instructed to "Run the verification commands from the ExecPlan whenever they still apply."
Audit Metadata