impl
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is built to autonomously execute shell commands and local scripts as part of its implementation loop. It invokes various local bash scripts (e.g.,
query-assets.sh,loop-step.sh) and explicitly executes commands defined in the 'acceptance_criteria' field of tasks derived from external PRD files. - [COMMAND_EXECUTION]: The skill includes functionality to dynamically generate and install new code. The
skillify.shscript (triggered by '스킬로 만들어') allows the agent to create new AI skills in the '.claude/skills/' directory by aggregating snippets and patterns recorded during development sessions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its execution logic is driven by content ingested from project files that may be attacker-controlled.
- Ingestion points: Implementation specifications, strategies, and test commands are read from 'docs/prd-*.md' and '.harnish/harnish-current-work.json'.
- Boundary markers: The skill documentation does not mention the use of specific delimiters or sanitization for commands extracted from these data sources.
- Capability inventory: The engine can execute shell commands, modify files, and generate new agent skills based on the data it processes.
- Sanitization: The skill relies on 'Hard Guardrails' (LLM-based instructions) to prevent dangerous operations like 'DROP TABLE' or credential insertion, rather than technical enforcement or sandboxing.
Audit Metadata