Skills
skills/robertwang4/infinite-dev-skill/infinite-dev/Gen Agent Trust Hub

infinite-dev

Warn

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The dev-agent.py script executes the claude CLI using the --dangerously-skip-permissions flag. This flag disables user confirmation prompts for dangerous operations such as file modifications and shell command execution, allowing the agent to operate fully autonomously without human oversight for sensitive system actions.\n- [COMMAND_EXECUTION]: The workflow relies on the AI creating a shell script (init.sh) and then executing it (chmod +x init.sh && ./init.sh). This results in the execution of dynamically generated code that may contain arbitrary commands.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. The dev-agent.py script reads feature descriptions and steps from feature_list.json and interpolates them directly into the system prompts of sub-agents without sanitization or the use of boundary markers. A malicious project specification could inject instructions that override the sub-agent's behavior.\n
  • Ingestion points: feature_list.json (read by load_features in dev-agent.py and used to build prompts in run_one_feature and run_parallel_batch).\n
  • Boundary markers: Absent; data is inserted directly into prompt templates.\n
  • Capability inventory: Subprocess execution of git, the claude CLI (with skipped permissions), and initialization scripts.\n
  • Sanitization: None.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 21, 2026, 01:01 PM