executing
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes various shell commands including a local Node.js script (
.codex/khuym_status.mjs), version control operations (git commit), and arbitrary verification scripts defined in task metadata (e.g.,npm test). - [DATA_EXFILTRATION]: The agent is instructed to transmit project state summaries, file modification lists, and implementation details to external coordinators using the
Agent Mailmessaging system. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because its operational logic and verification criteria are derived from external data sources such as task 'beads' and project-level documentation (
AGENTS.md,CONTEXT.md). - Ingestion points: Tasks are retrieved via
br show, and coordination messages are fetched viafetch_inboxfrom the Agent Mail service. - Boundary markers: The instructions lack explicit delimiters or safety markers when processing content from beads or messages.
- Capability inventory: The agent possesses significant capabilities including shell command execution (
npm,git,br), file writing (HANDOFF.json), and network communication via MCP tools. - Sanitization: There is no evidence of validation or sanitization of instructions found within the task descriptions or project files before they are acted upon.
Audit Metadata