groom-backlog-item
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from backlog items (titles, descriptions, research questions) and GitHub issues (comments, states) and interpolates them directly into prompts for subagents (
backlog-item-groomer). - Ingestion points: Data enters the context via
mcp__plugin_dh_backlog__backlog_listandbacklog_view(fromSKILL.mdandreferences/groomer-agent.md). - Boundary markers: While arguments are wrapped in
<groom_scope>, the untrusted content from the backlog items is not delimited or sanitized before being passed to subagents. - Capability inventory: The skill and its subagents have access to
git log,git show,WebFetch,WebSearch, and MCP tools for writing to the filesystem and updating GitHub issues. - Sanitization: No escaping or validation is performed on the item content before processing.
- [COMMAND_EXECUTION]: The skill executes shell commands (
git log,git show) using file paths extracted from untrusted sources (plan files or backlog item sections). A malicious backlog item could potentially specify paths that lead to information disclosure of files within the git repository. - [DATA_EXFILTRATION]: The 'fact-checker' agent is instructed to verify claims using
WebFetchandWebSearch. If a malicious backlog item contains sensitive data in its description or claims, that data could be sent to external search engines or web services during the verification phase.
Audit Metadata