work-on-issue
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes standard development lifecycle scripts (
test,typecheck,lint, andbuild) using the project's detected package manager (npm,yarn,pnpm, orbun). These commands are based on the configurations found in the project'spackage.jsonfile. - [PROMPT_INJECTION]: The skill identifies and processes instructions from external markdown files located in the
plans/directory. This creates an indirect prompt injection surface where the agent might follow malicious instructions if the underlying issue files are compromised. - Ingestion points: The agent reads
README.md,progress.md, and issue-specific markdown files (plans/<plan>/issues/*.md) to determine its task scope. - Boundary markers: The skill does not implement delimiters or safety warnings to distinguish between system instructions and external data; it explicitly instructs the agent to "Follow the issue file exactly."
- Capability inventory: The agent has the capability to modify local project files and execute shell commands through the package manager as part of its standard operation.
- Sanitization: No validation or sanitization of the content within the issue files is performed prior to the implementation step.
Audit Metadata