work-define
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted user input and repo data to generate documentation and execute tool calls.
- Ingestion points: User-provided story descriptions (via SKILL.md), existing documentation files (docs/specs/user-stories/*/README.md), and the agent memory file (.agents/MEMORY.md).
- Boundary markers: Absent; there are no instructions in SKILL.md to treat ingested content as data only or to ignore embedded instructions.
- Capability inventory: The skill (SKILL.md) directs the agent to write files to the repository and invoke the /work-plan tool.
- Sanitization: None; the skill does not implement validation or escaping for the user-supplied content before it is interpolated into prompts or files.
Audit Metadata