cs-feat-design-review

Pass

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from repository files (markdown, YAML, and source code) and incorporates this data into its reasoning and sub-agent prompts.
  • Ingestion points: The skill reads feature design documents (.codestable/features/{feature}/{slug}-design.md), checklists ({slug}-checklist.yaml), and project source code to perform its review.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate embedded instructions within the ingested documents.
  • Capability inventory: The skill has the capability to write files to the local file system (review reports) and invoke secondary agents using the mcp__paseo__create_agent tool or native task tools.
  • Sanitization: No sanitization, validation, or filtering of the external content is mentioned before it is processed or passed to sub-agents.
  • [DATA_EXPOSURE]: The skill instructions specify reading tool-specific configuration from the user's home directory, which is a sensitive location.
  • Evidence: SKILL.md directs the agent to read ~/.paseo/orchestration-preferences.json to determine provider settings for independent reviews.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 1, 2026, 07:40 AM
Security Audit — agent-trust-hub — cs-feat-design-review