utility-pm-skill-iterate
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core functionality relies on processing untrusted external data to modify agent instructions.
- Ingestion points:
SKILL.md(Step 3) processes validation reports (Report schema: v1) and free-text feedback as input for changes. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore embedded instructions' warnings when the agent processes these external inputs.
- Capability inventory: The skill utilizes file-read (
SKILL.mdStep 2) and file-write (SKILL.mdStep 5) capabilities to modify files likeSKILL.md,TEMPLATE.md, andHISTORY.md. - Sanitization: There is no mention of sanitizing or escaping content from the reports or feedback before it is used to generate the proposed edits.
- [SAFE]: The skill implements a mandatory human-in-the-loop (HITL) confirmation step (Step 4 and 5), requiring the user to review and approve all proposed changes before any files are written to the disk.
- [SAFE]: A 'stale-preview guard' (Step 5) is included, which re-reads target files before writing to ensure the content hasn't changed since the preview was generated, preventing accidental overwrites.
- [SAFE]: The skill suggests running a local linting script (
bash scripts/lint-skills-frontmatter.sh) as a next step, which is a standard and safe development practice.
Audit Metadata