docs-adr
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it searches and reads content from the codebase to populate ADR templates. If a file in the project contains malicious instructions, the agent might interpret them as commands when generating the document.
- Ingestion points: Codebase files retrieved via
Tasktool,grep, andfindin Phase 1 and Phase 5 of the workflow. - Boundary markers: The instructions do not define clear delimiters or use 'ignore embedded instructions' warnings for the data being read from the filesystem.
- Capability inventory: The skill utilizes
Read,Write,Grep,Glob, andTasktools, which include capabilities for file modification and tool invocation. - Sanitization: No sanitization or validation of the ingested codebase content is performed before it is placed into the
{{CONTEXT}}placeholder in the markdown templates. - [COMMAND_EXECUTION]: The skill documents the use of dynamic context injection (using the
!command`` syntax) to gather environment data at load time. - Evidence:
SKILL.mdcontains examples such as!find . -name "*.sql" ...and!grep -r "router|endpoint|api" .... - Analysis: These commands are used for architectural discovery and are limited to benign search operations (find/grep) without network access or sensitive file exposure.
Audit Metadata