Skills
skills/jamie-bitflight/claude_skills/groom-milestone/Gen Agent Trust Hub

groom-milestone

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The BatchGroom step in SKILL.md executes a shell command to spawn sub-agents: claude -p --model sonnet --permission-mode auto --output-format json --no-session-persistence 'Load /dh:groom-backlog-item {title}'. The {title} variable is sourced from external GitHub issue titles provided by the backlog_list_issues tool. This creates a shell command injection vulnerability if a GitHub issue title contains malicious shell metacharacters (e.g., backticks or semicolons).
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of external GitHub issue data.
  • Ingestion points: Untrusted data enters the agent context via the backlog_list_issues tool, which retrieves issue titles and descriptions from GitHub (Step 1 and Step 4 in SKILL.md).
  • Boundary markers: There are no boundary markers or explicit instructions to the sub-agent to ignore instructions embedded within the interpolated {title}.
  • Capability inventory: The skill possesses significant capabilities, including executing local shell commands via the claude CLI and performing file-write operations through the dispatch_create_plan MCP tool.
  • Sanitization: The skill lacks evidence of sanitization, escaping, or validation of the {title} content before it is used to construct sub-agent prompts or shell commands.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 08:41 AM