auto
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill identifies and manages indirect prompt injection risks associated with processing user-supplied objectives. \n
- Ingestion points: The objective is ingested via the /auto command and interpolated into instructions in SKILL.md. \n
- Boundary markers: Untrusted input is wrapped in <untrusted_objective> tags with explicit instructions for the agent to treat it as data. \n
- Capability inventory: The agent utilizes the bash shell, Task tool, and integrations with GitHub and Linear. \n
- Sanitization: Rule R3 (Irreversible-op exception) acts as a mandatory safety gate, requiring user confirmation for destructive actions, which prevents malicious input from triggering unauthorized high-risk operations.\n- [PROMPT_INJECTION]: Rule R5 (Sub-skill non-interrupt mode) instructs the agent to suppress user questions from sub-skills and auto-select recommended options. This prioritization of autonomy is constrained by Rule R3, which ensures that security-sensitive or destructive actions still require explicit user approval.\n- [COMMAND_EXECUTION]: The skill uses local shell commands for project initialization and logging to GitHub or local files. These actions are limited to standard developer tools (gh, codex) and file management within the project's .claude directory.
Audit Metadata