wta-green-impl
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it reads and interprets data from external files to guide its actions. Maliciously crafted instructions within these files could potentially override the agent's intended behavior.
- Ingestion points: The agent reads from the
contract/directory (specificallyintent.md,task.md, andinterface.md) and theproduct/source code directory. - Boundary markers: The skill references generated
AGENTS.mdandCLAUDE.mdfiles for context but lacks explicit delimiters or instructions to ignore embedded commands within the processed data. - Capability inventory: The skill can modify the file system, execute arbitrary shell commands via build tools, and perform network operations through the
wta submitcommand. - Sanitization: No sanitization or validation of the ingested content is performed before use.
- [COMMAND_EXECUTION]: The skill uses various shell commands to perform its core functions, including project-specific CLI tools, standard build systems, and version control.
- Evidence: Execution of
wta take,wta pull,wta submit,cargo build --locked,cargo test --locked, andgit commit. - Context: While these are legitimate tools for a coding role,
cargo testandcargo buildcan execute arbitrary code defined within the repository's build configuration or test suites.
Audit Metadata