prd-generator
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection. It takes arbitrary text (feature descriptions) and passes it through multiple processing stages (roles) that drive tool actions.
- Ingestion points: The feature description provided by the user in SKILL.md Step 1b.
- Boundary markers: Not present. The skill does not use specific delimiters or instructions to prevent the agent from obeying commands embedded in the feature description.
- Capability inventory: Significant. The skill can create files, execute shell commands, and interact with Atlassian (Confluence), Slack, Linear, Asana, Notion, and Gmail.
- Sanitization: No sanitization of user input is specified.
- [COMMAND_EXECUTION]: The skill's YAML frontmatter includes bash_tool in the tools list. Although the execution steps primarily focus on file creation and MCP connector usage, the availability of a shell environment to a skill processing untrusted input is a risk factor.
- [DATA_EXFILTRATION]: The skill is designed to transmit data to external services (Confluence, Slack, Gmail). This capability could be abused if a malicious user provides an input that causes the agent to include sensitive local data, such as environment variables, in the generated PRD or notification messages.
Audit Metadata