principle-separate-before-serializing-shared-state

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute local commands and scripts, such as 'codex exec' and a 'spawn-codex-worker' script referenced from an external 'pstack' skill, to manage task delegation.
  • [PROMPT_INJECTION]: The instructions contain explicit directives to override standard agent behaviors. This includes replacing default model choices with a non-standard 'gpt-5.6-sol' model and changing delegation workflows (e.g., 'Codex delegation' instead of standard subagent calls).
  • [COMMAND_EXECUTION]: The skill directs the use of the host terminal, browser, and git tools directly to bypass specific platform UI controls (e.g., Cursor panel defaults).
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
  • Ingestion points: The skill describes patterns for interacting with shared mutable state in files, git branches, and APIs.
  • Boundary markers: None are specified for the processing of these external data sources.
  • Capability inventory: The skill identifies capabilities including host terminal access, git tools, browser access, and the execution of the 'spawn-codex-worker' script and 'codex' CLI.
  • Sanitization: No sanitization or validation logic is defined for the external data being processed.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 04:47 PM