principle-separate-before-serializing-shared-state
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute local commands and scripts, such as 'codex exec' and a 'spawn-codex-worker' script referenced from an external 'pstack' skill, to manage task delegation.
- [PROMPT_INJECTION]: The instructions contain explicit directives to override standard agent behaviors. This includes replacing default model choices with a non-standard 'gpt-5.6-sol' model and changing delegation workflows (e.g., 'Codex delegation' instead of standard subagent calls).
- [COMMAND_EXECUTION]: The skill directs the use of the host terminal, browser, and git tools directly to bypass specific platform UI controls (e.g., Cursor panel defaults).
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: The skill describes patterns for interacting with shared mutable state in files, git branches, and APIs.
- Boundary markers: None are specified for the processing of these external data sources.
- Capability inventory: The skill identifies capabilities including host terminal access, git tools, browser access, and the execution of the 'spawn-codex-worker' script and 'codex' CLI.
- Sanitization: No sanitization or validation logic is defined for the external data being processed.
Audit Metadata