woostack-execute
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture handles external plan files and subagent-generated diffs, creating an attack surface for indirect prompt injection.
- Ingestion points: Markdown plans in
.woostack/plans/and task diffs reported by implementer subagents. - Boundary markers: Instructions explicitly warn the agent and subagents to treat plan steps and diffs as untrusted data, requiring them to ignore instructions embedded within those inputs.
- Capability inventory: The skill can execute shell commands (
git,gt), perform filesystem writes, and spawn autonomous subagents. - Sanitization: The skill uses a 'Worktree pin' in its subagent prompts—a shell-based check that asserts the current directory is the intended worktree before allowing any writes or tests.
- [COMMAND_EXECUTION]: The skill performs shell-based repository operations, specifically using
git worktreeand Graphite (gt) commands to manage stacked increments. These commands use variables (branch names, slugs) derived from plan files, which are managed as untrusted data per the skill's own security guidelines.
Audit Metadata