write-social

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute several internal TypeScript utility scripts (e.g., manifest-sync.ts, query-performance.ts, scaffold-eval-loop.ts) using the Bun runtime. These scripts are included within the skill's own package and are used for maintaining a local artifact index, querying performance data from TSV files, and setting up workspace structures. These operations are confined to the local project directories (.forsvn/ and docs/forsvn/) and include path validation logic to prevent directory traversal.
  • [PROMPT_INJECTION]: The skill ingests untrusted user-supplied data, such as content topics or campaign briefs, which are used as context for the copywriter and critic agents. This creates an indirect prompt injection surface. (1) Ingestion points: User-provided topics or brief paths processed in SKILL.md and passed to agents in references/procedures/dispatch-mechanics.md. (2) Boundary markers: The skill uses structured Markdown headers and delimiters to separate user data from agent instructions. (3) Capability inventory: The orchestrator has file system access and shell execution capabilities for internal management tasks, but agent-generated content is not directly executed as code. (4) Sanitization: The multi-agent workflow, which includes a separate format-checking agent and a rubric-based critic agent, provides structural mitigation against attempts to influence behavior through embedded instructions in briefs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 10:17 PM
Security Audit — agent-trust-hub — write-social