execute
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted user input via the $ARGUMENTS goal statement in Phase 1 and uses it to drive the task planning and execution phases. The absence of sanitization or boundary markers creates a surface for indirect prompt injection.
- Ingestion points: $ARGUMENTS goal statement in SKILL.md Phase 1.
- Boundary markers: Absent; user input is directly used to define task logic.
- Capability inventory: Extensive access to Bash, Write, Edit, Read, Glob, Grep, WebSearch, WebFetch, and the Task tool (subagents) as detailed in SKILL.md and references/agent-selection.md.
- Sanitization: Absent; no instructions provided to validate or filter the goal content.
- [COMMAND_EXECUTION]: The orchestration protocol explicitly directs the agent to use the Bash tool for running git operations, GitHub CLI commands, and arbitrary build or test scripts identified during task decomposition.
- [DATA_EXFILTRATION]: The skill combines the ability to read the entire codebase (via Glob, Grep, Read) with outbound network capabilities (WebSearch, WebFetch). While intended for research and execution, this capability chain could be exploited to exfiltrate sensitive data if directed by a malicious task plan.
Audit Metadata