workflow-revision
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill ingests untrusted data from review findings and uses it to drive high-privilege actions like source code modification and sub-agent orchestration.
- Ingestion points: Untrusted data enters via the
$ARGUMENTSparameter inSKILL.mdor is read from the.workflow/state.jsonfile (specificallystages.review.artifacts.findings). - Boundary markers: The instructions lack delimiters or specific directives to ignore potentially malicious instructions embedded within the findings data.
- Capability inventory: The skill possesses the capability to modify arbitrary project files (Step 2/Step 3) and dispatch sub-agents to perform tasks based on the findings content.
- Sanitization: There is no evidence of validation, escaping, or filtering of the input findings before they are used to determine file-system modifications or sub-agent instructions.
Audit Metadata