apply
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and follows instructions from various project files without explicit sanitization or boundary markers.\n
- Ingestion points: Artifacts including proposal.md, features/*.feature, design.md, tasks.md, status.yaml, and config.yaml are read to guide the implementation process.\n
- Boundary markers: The skill lacks delimiters or instructions to the agent to ignore natural language commands embedded within these artifacts.\n
- Capability inventory: The agent has the ability to write implementation code, modify feature files, and execute shell commands for testing.\n
- Sanitization: There is no evidence of validation or sanitization of the content extracted from these files before it is used to influence the agent's actions.\n- [COMMAND_EXECUTION]: The skill dynamically constructs and executes shell commands for running tests based on project configuration and file names.\n
- Evidence: It invokes test runners (e.g., npx cucumber-js) using paths that include variables (like ) and utilizes framework names provided in config.yaml (testing.behavior, testing.e2e), which could be exploited if these sources are untrusted.
Audit Metadata