goal-distill
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a shell command on macOS (
pbcopy) to copy the generated goal prompt to the system clipboard. The instruction specifies a shell pipe using a template (printf '%s' "<prompt-contents>" | pbcopy) that could lead to command injection if the distilled content contains shell metacharacters (such as backticks or subshells) and is not properly escaped by the agent during execution. - [PROMPT_INJECTION]: The skill instructs the agent to generate a prompt for a future session that includes an autonomous loop. This loop explicitly includes a "No human approval" directive for the planning phase, which encourages the bypass of user confirmation for subagent actions.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it is designed to ingest and summarize untrusted data from the repository and conversation history.
- Ingestion points: Conversation history (including potential attacker-controlled inputs if following a PR or external log), repository state (
git status, configs, diffs), and local documentation files (README, ADRs, CHANGELOG). - Boundary markers: Absent. The skill does not define delimiters or provide instructions to ignore potential commands embedded in the files it reads.
- Capability inventory: The skill can read arbitrary files in the repository, view git history, and execute shell commands via
pbcopy. - Sanitization: Absent. The skill does not specify any validation or sanitization of the content before it is processed and included in the final output prompt.
Audit Metadata