archive-milestone
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs file system operations including reading, writing, and deleting directories (
milestones/{slug}/). It also executes global search and replace operations across the repository to update references. These actions are within the expected scope of a project management tool but represent a capability that could be abused if the agent is influenced by malicious data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of untrusted data from project files.
- Ingestion points: Reads content from
milestones/{slug}/tasks.mdand other repository files during reference updates. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing external file content into the generated summary.
- Capability inventory: File read, write, and directory deletion; global repository search/replace.
- Sanitization: No explicit sanitization or validation of the ingested content is mentioned before it is interpolated into the snapshot summary or used to update other files. An attacker with write access to the project documentation could embed instructions that might mislead the agent during the summary generation process.
Audit Metadata