development-lifecycle

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes various shell commands to manage the development environment, including git operations (gh pr, git push), build tools (bun run), container management (docker logs), and test runners (vitest). It also references local scripts such as mux-worktree.sh and lifecycle-stop.sh for workspace isolation and gate enforcement.\n- [EXTERNAL_DOWNLOADS]: The instructions recommend installing the @openai/codex package via bun. OpenAI is a well-known service and the download targets a recognized organizational scope.\n- [REMOTE_CODE_EXECUTION]: The skill employs a multi-agent architecture, spawning 'background agents', 'parallel research agents', and specialized subagents (e.g., self-reviewer, adversarial-reviewer, verifier) to perform tasks across different execution contexts.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from external sources during its triage and review phases.\n
  • Ingestion points: GitHub issue comments and pull request feedback are fetched using the gh CLI tool (REFERENCE.md) and processed by the agent to guide implementation or iteration.\n
  • Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands within the processed external data in SKILL.md or REFERENCE.md.\n
  • Capability inventory: The skill possesses significant capabilities, including shell command execution (bun, vitest, docker), browser interaction, and the ability to spawn further agent instances as defined in SKILL.md and REFERENCE.md.\n
  • Sanitization: No specific sanitization, filtering, or validation logic is described for the content retrieved from external sources before it is interpreted by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 08:50 PM
Security Audit — agent-trust-hub — development-lifecycle