work-delegator

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Python script scripts/create_delegation.py to process backlog items. This is a standard integration pattern for task delegation and does not involve executing user-supplied strings or untrusted code.
  • [DATA_EXFILTRATION]: No network operations or data transmission patterns were identified. The skill only reads project metadata from the .pm/ directory and searches local .py files within the project root to provide context for task delegation.
  • [INDIRECT_PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it ingests untrusted data from .pm/backlog/items.yaml and interpolates it into instructions for downstream agents.
  • Ingestion points: Backlog item titles and descriptions are read from .pm/backlog/items.yaml in scripts/create_delegation.py.
  • Boundary markers: Absent. The skill generates instructions and context packages without explicit delimiters or warnings to ignore instructions embedded in the processed data.
  • Capability inventory: The skill itself has no high-risk capabilities like network access or shell execution; it only performs file system reads and text processing.
  • Sanitization: Absent. Data from the backlog items is used directly in keyword searches and instruction templates without filtering for injection patterns.
  • [REMOTE_CODE_EXECUTION]: The script uses yaml.safe_load() to parse configuration files, which is a secure practice that prevents arbitrary object instantiation during deserialization.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 08:38 PM
Security Audit — agent-trust-hub — work-delegator