p-daily-standup
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local command-line tools including
gh(GitHub CLI) andgws(Google Workspace CLI) to retrieve pull request status and calendar events from the previous business day. - [COMMAND_EXECUTION]: Includes a maintenance script
scripts/skillctx-resolve.pythat reads and writes to a local configuration file at~/.config/skillctx/config.jsonto manage environment bindings and placeholders. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from Slack message history and GitHub PR titles.
- Ingestion points: Slack messages retrieved via
slack_search_public_and_private(inreferences/agent-gather-slack-prev-day.md) and GitHub PR metadata (inreferences/agent-gather-github-prev-day.md). - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the prompt templates.
- Capability inventory: The agent has the capability to post messages to Slack channels via
slack_send_message(inSKILL.md). - Sanitization: No explicit sanitization or filtering of the retrieved content is performed before interpolation into the final standup draft.
- [SAFE]: The workflow incorporates a mandatory manual confirmation step (Phase 6) where the user must approve the generated draft before it is posted to Slack, effectively mitigating the risk of automated malicious actions via indirect injection.
Audit Metadata