review
Pass
Audited by Gen Agent Trust Hub on May 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to inspect the local repository state.
- Evidence: Uses
git diff <fixed-point>...HEADandgit log <fixed-point>..HEAD --onelineto generate the data for analysis. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by processing untrusted data and relaying it to sub-agents.
- Ingestion points: Untrusted data enters the context through git diff outputs (which include code comments), commit logs, and external spec files or issue trackers (
docs/agents/issue-tracker.md). - Boundary markers: The instructions lack explicit boundary markers or delimiters to isolate the code and spec data from the sub-agent instructions.
- Capability inventory: The skill invokes the
Agenttool to spawn sub-agents that process the gathered data. - Sanitization: There is no logic provided to sanitize or filter the ingested content before it is interpolated into the prompts for the Standards and Spec sub-agents, allowing embedded malicious instructions in code comments or PRDs to potentially influence the sub-agents' behavior.
Audit Metadata