specs
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that explicitly override standard agent safety and interaction patterns, specifically commanding the agent to "Never pause for manual confirmation between successful deterministic steps" and "Continue forward automatically until reaching a hard stop condition." This increases the risk that malicious instructions present in repository files are executed without user review.
- [PROMPT_INJECTION]: The "Invocation Contract" forbids the agent from providing "Purely instructional or explanatory text" when a command is given, which may suppress the agent's ability to provide warnings or context if it detects suspicious patterns.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its automated processing of repository artifacts.
- [PROMPT_INJECTION]: Evidence of indirect prompt injection surface: 1. Ingestion points: The agent reads state and requirements from
specs/status.yaml,specification.md, and individual task files withinspecs/*/tasks/. 2. Boundary markers: The workflow uses structured YAML for state management, but requirements and tasks are defined in Markdown files which lack clear delimiters or "ignore embedded instructions" warnings. 3. Capability inventory: The skill has the capability to perform repository-wide reads, write to multiple orchestration and implementation files, and invoke sub-agents with provided context. 4. Sanitization: No content validation or sanitization of the natural language text within Markdown artifacts is performed; the skill relies on structural validation and ID traceability.
Audit Metadata