trellis-brainstorm
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local script (
./.trellis/scripts/task.py) and passes user-provided strings as command-line arguments. This pattern is vulnerable to command injection if the platform or the script does not properly sanitize shell metacharacters. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface (Category 8) by processing untrusted user input to drive subsequent agent actions. Ingestion points: User-provided descriptions of tasks or features. Boundary markers: None are defined to isolate untrusted data from the instructions provided to the sub-agent. Capability inventory: The skill performs subprocess execution, file-system writes (creating
prd.md), and spawning of sub-agents. Sanitization: There are no instructions for sanitizing or escaping user input before it is used in documentation or as a prompt for thetrellis-researchsub-agent.
Audit Metadata