Algorithm
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute shell commands to interact with a local notification service. Specifically, it mandates
curlPOST requests tohttp://localhost:8888/notifyto track phase transitions and provide voice feedback. This is a local infrastructure interaction for workflow visibility. - [REMOTE_CODE_EXECUTION]: Includes custom CLI utilities (
Tools/algorithm.ts,Tools/ISCManager.ts) that programmatically manage state and spawn agent instances via theclaude -pcommand. These tools dynamically construct prompts from Project Requirements Documents (PRDs) and session history stored in the workspace to facilitate autonomous loops. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection. It ingests data from untrusted or external sources—such as user-provided PRDs, source code, and results from
WebSearchorWebFetchtools—and interpolates this content into prompts for sub-agents. - Ingestion points:
Tools/algorithm.tsreads PRD files;SKILL.mdinstructs the agent to read workspace files in theOBSERVEphase. - Boundary markers: The prompt construction logic in
Tools/algorithm.tsand the instructions inSKILL.mddo not consistently use strict delimiters or 'ignore embedded instructions' warnings when processing this data. - Capability inventory: The environment allows for significant capabilities including file editing (
Edit,Write), command execution (Bash), and network access (WebSearch,WebFetch). - Sanitization: No explicit sanitization or validation of the processed data is implemented before it is fed back into the agent's reasoning loop.
Audit Metadata