dev-workflow
Warn
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically generates a secondary skill definition (run-tests/SKILL.md) by parsing local project configuration files such as package.json, Makefile, and docker-compose.yml. This generated content is written to the filesystem and subsequently executed by the agent.
- [COMMAND_EXECUTION]: During the initialization process, the skill executes various shell commands to detect project types and set up prerequisites. This includes potentially impactful operations like starting Docker services (docker compose up -d) or preparing databases (bin/rails db:prepare).
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it derives execution logic and command parameters from untrusted files within the project directory and from previous conversation history.
- Ingestion points: Local configuration files (package.json, Gemfile, Cargo.toml, etc.) and the current conversation history (used in Step 9).
- Boundary markers: The skill does not implement explicit delimiters or instruction-ignore headers when processing data from these files.
- Capability inventory: The skill has access to extensive shell command execution (Bash), file modification (Write, Edit), and the ability to spawn subagents (Agent tool).
- Sanitization: There is no evidence of validation or sanitization of the commands extracted from project files before they are executed in the shell.
Audit Metadata