task-breakdown
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of processing external project documentation.
- Ingestion points: The skill reads data from
system-architecture.md,skills-resources/meta/specs/*.md, andskills-resources/product/flow/*.md(as specified in theroutingsection ofSKILL.md) to provide context for the decomposition agents. - Boundary markers: The instructions for the agents (e.g.,
agents/decomposer-agent.md,agents/acceptance-agent.md) do not include explicit delimiters or instructions to treat ingested data as untrusted, increasing the risk that embedded instructions in the documentation could override agent behavior. - Capability inventory: The skill allows the use of the
Bashtool, which is a powerful capability that could be abused if an injection is successful. - Sanitization: There is no explicit sanitization or validation of the input files mentioned in the skill definition.
- [COMMAND_EXECUTION]: The skill requests access to the
Bashtool in itsallowed-toolsconfiguration. While the instructions inreferences/execution-protocol.mdsuggest its use for standard development workflows (likegitoperations), providing an LLM-driven agent with general shell access carries inherent risk, especially when combined with the ingestion of untrusted data.
Audit Metadata