beo/executing
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) during the 'Worker Prompt Assembly' phase. It constructs prompts for subagents by interpolating data from several untrusted or externally influenced sources without proper sanitization or robust boundary markers. Specifically:
- Ingestion points: The skill reads task descriptions using
br show <TASK_ID>, task summaries fromplan.md, and historical task results frombr comments list <DEP_ID>in Phase 3. - Boundary markers: The skill uses basic Markdown headers (e.g.,
## Your Task,## Previous Task Results) to separate instructions from interpolated data. These markers are easily bypassed if the source data contains similar Markdown formatting or instructions intended to override the subagent's role. - Capability inventory: The skill has the capability to dispatch subagents via the
task()tool, which allows the execution of general implementation tasks. - Sanitization: There is no evidence of sanitization, escaping, or filtering of the content retrieved from the
brCLI tool or local artifacts before it is inserted into the worker prompt. If a task description or a comment contains malicious instructions, the worker subagent may follow them instead of the orchestrator's intended spec.
Audit Metadata