theories
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests an external 'Goals Document' and interpolates its content directly into prompts, local files, and GitHub issue metadata.
- Ingestion points: Reads the 'Goals Document' from a user-provided path or input in Phase 1.
- Boundary markers: Absent. No specific delimiters or instructions are provided to isolate the ingested content from the agent's internal logic.
- Capability inventory: Executes multiple GitHub CLI commands (gh issue create, gh issue edit, gh label create) and performs local file writes (theories.md, PROGRESS.md, .gitignore).
- Sanitization: Absent. There is no requirement for the agent to validate or escape the content of the 'Goals Document' before passing it to shell arguments or file buffers.
- [COMMAND_EXECUTION]: The skill executes shell commands using the GitHub CLI ('gh') to manage issues, labels, and repository metadata, which involves processing data derived from external documents.
Audit Metadata