implement-factory
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically discovers and executes a start command (e.g., from
package.jsonor project documentation such asCLAUDE.md) to run the application service for evaluation purposes. This creates a vector where malicious project configuration files could execute arbitrary code on the host system. - [PROMPT_INJECTION]: The orchestrator implements a subagent architecture where the full content of unit specification files (
.md) and scenario files (.md) is directly interpolated into the prompts of spawned code and evaluation agents. This creates an attack surface for indirect prompt injection where malicious instructions in these data files could influence agent behavior. - Ingestion points:
units/{unit.id}.mdandscenarios/{unit.id}/*.mdfiles read from the spec directory. - Boundary markers: The skill includes negative constraints in the prompt templates (e.g., "DO NOT read or access files in scenarios/ directories") intended to restrict agent access, though these are not cryptographically secure boundaries.
- Capability inventory: Subagents are spawned via the Agent tool and have the capability to perform implementation (file writes/modifications) and evaluation (command execution and network access to localhost).
- Sanitization: There is no evidence of sanitization or escaping applied to the interpolated markdown content before it is passed to the subagents.
Audit Metadata