trace-validate
Warn
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs dynamic command execution by detecting and running project-specific test runners. It explicitly attempts to execute commands such as
npm test,pytest,gradle test,dotnet test, andgo testbased on the repository's configuration files. This results in the execution of local scripts and binaries within the repository's context. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted data from repository files.
- Ingestion points: The skill reads business rules (
BR-XX) and scenarios (SC-XX) directly fromdocs/specs/user-stories/US-XXX-*/README.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within the processed documentation are present.
- Capability inventory: The skill possesses the ability to execute shell commands (test runners) and write files (
trace-report.md) based on the data it processes. - Sanitization: There is no evidence of sanitization or validation of the content extracted from the README files before it is used to influence the skill's flow or the final report.
- [REMOTE_CODE_EXECUTION]: Although the skill executes local code, the practice of automatically running tests from an external or potentially compromised repository without manual review constitutes a risk similar to remote code execution, as the tests themselves can contain arbitrary logic.
- [DATA_EXFILTRATION]: The skill accesses
.agents/MEMORY.mdand other sensitive repository structures to resolve language settings and project configuration, which could lead to unauthorized data exposure if the agent is manipulated via prompt injection.
Audit Metadata