knowledge-stack
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands, specifically 'ls ~/Developer/' to discover repositories and 'backlog doc list' to interact with local repository tooling. These commands are intended to provide the agent with local context.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because its primary function is to ingest and reason from external, user-managed markdown files (backlog documents and a personal 'Basic Memory' vault).
- Ingestion points: Files are read from local repository paths and via the 'basic-memory' MCP tool.
- Boundary markers: The instructions do not specify the use of delimiters or warnings to ignore potentially malicious instructions embedded within the retrieved notes or documents.
- Capability inventory: The agent can perform file system operations, execute CLI tools, and search/read notes via the MCP interface.
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from the external markdown artifacts.
Audit Metadata