attention-driven
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a 'Handoff Convention' (documented in
references/harness.mdandcommands/go.md) which creates a potential surface for indirect prompt injection. The agent is instructed to read aHANDOFF.mdfile and 'Execute the next action as your first work,' which can include shell commands.\n - Ingestion points: The agent reads from
HANDOFF.md(project root) and other documentation files likeGOAL.mdandDESIGN.md.\n - Boundary markers: While the skill uses delimited markers (
<!-- skill:attention-driven -->) for its own modifications to project instruction files, it does not define boundaries or isolation protocols for the content of theHANDOFF.mdfile itself.\n - Capability inventory: The agent framework expects the capability to execute shell commands, update system instruction files (e.g.,
CLAUDE.md), and perform broad file system writes based on instructions in the handoff.\n - Sanitization: The instructions lack any requirement for sanitization, validation, or safety checks of the 'next action' commands or instructions provided within the handoff artifacts.\n- [COMMAND_EXECUTION]: The instruction set in
commands/go.mdexplicitly directs the agent to 'Execute the next action' described inHANDOFF.mdas its first priority. These actions are defined to include 'exact commands,' facilitating the execution of arbitrary shell commands from potentially untrusted project files without intermediate human verification steps.\n- [SAFE]: The skill performs routine maintenance of project documentation (goals, design decisions, and blueprints) and uses standard delimited blocks to update agent instruction files. These behaviors are properly scoped within the vendor's intended functionality for project management and continuity.
Audit Metadata