concept-scaffold-gen
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute local commands including 'clef', 'npx tsx', and 'npx vitest'. These commands are used for scaffolding specification files and running tests as part of the intended development workflow.
- [PROMPT_INJECTION]: The skill interpolates untrusted user input (arguments for name, purpose, and state fields) directly into the prompts used by the agent to generate .concept files. The lack of boundary markers or instructions to the agent to treat this content as untrusted data creates a surface for indirect prompt injection.
Audit Metadata