task-breakdown

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of processing external project documentation.
  • Ingestion points: The skill reads data from system-architecture.md, skills-resources/meta/specs/*.md, and skills-resources/product/flow/*.md (as specified in the routing section of SKILL.md) to provide context for the decomposition agents.
  • Boundary markers: The instructions for the agents (e.g., agents/decomposer-agent.md, agents/acceptance-agent.md) do not include explicit delimiters or instructions to treat ingested data as untrusted, increasing the risk that embedded instructions in the documentation could override agent behavior.
  • Capability inventory: The skill allows the use of the Bash tool, which is a powerful capability that could be abused if an injection is successful.
  • Sanitization: There is no explicit sanitization or validation of the input files mentioned in the skill definition.
  • [COMMAND_EXECUTION]: The skill requests access to the Bash tool in its allowed-tools configuration. While the instructions in references/execution-protocol.md suggest its use for standard development workflows (like git operations), providing an LLM-driven agent with general shell access carries inherent risk, especially when combined with the ingestion of untrusted data.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:33 AM
Security Audit — agent-trust-hub — task-breakdown