cheese-factory
Pass
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection vulnerability. The skill ingests untrusted software specification files and interpolates them directly into prompts for 'decomposer' and 'worker' sub-agents without isolation techniques.
- Ingestion points: Specification files are read from the filesystem based on user-provided paths or resolved via slugs as described in
SKILL.md. - Capability inventory: The orchestrator and its sub-agents have access to powerful tools including shell execution (Bash), file system modification (
/cheez-write), and Git/GitHub operations (git push,gh pr create). - Boundary markers: The prompt templates in
references/decomposer-prompt.mdandreferences/curd-prompt.mdlack explicit boundary delimiters (e.g., XML tags) or instructions to disregard embedded commands within the{spec_text}or{behaviour}variables. - Sanitization: No content validation, escaping, or filtering is performed on the ingested specification text before it is processed by the sub-agents.
- [COMMAND_EXECUTION]: Execution of bundled executable logic. The skill uses a Python Zip Application (
cheese-factory.pyz) located in thescripts/directory for critical orchestration tasks like path resolution, manifest validation, and branch management. This represents execution of opaque logic shipped with the skill. - [COMMAND_EXECUTION]: Dynamic execution of project-specific quality gates. The skill executes shell commands defined in the
quality_gatesfield of the manifest (e.g.,just check) at four distinct points in the pipeline (after seed, inside workers, after merge, and after final review).
Audit Metadata