validate
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Reference documents such as 3cs-framework.md and ambiguity-detection.md provide shell command templates (e.g., grep, find, wc) that incorporate file paths directly from user input ($ARGUMENTS). This design is susceptible to command injection if the input path contains shell metacharacters like semicolons or pipes.\n- [DATA_EXFILTRATION]: The skill enables users to perform validation on arbitrary file paths. An attacker can use this to read sensitive local files like .env or SSH keys. The validation report findings often leak parts of the file content back to the user.\n- [PROMPT_INJECTION]: The constitution validation mode uses LLMs to interpret semantic rules against source code, creating an indirect prompt injection surface.\n
- Ingestion points: Content of external files specified by the user in $ARGUMENTS (e.g., PRD, SDD, source code).\n
- Boundary markers: No protective delimiters or instructions are used to distinguish untrusted file content from system instructions.\n
- Capability inventory: The agent can execute shell commands and perform LLM analysis via the Task tool.\n
- Sanitization: No validation of input paths or sanitization of file content is performed prior to analysis.
Audit Metadata