file-todos
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use several shell commands (e.g.,
ls,grep,cp,mv,awk) to automate the management of todo files in thetodos/directory. While these are standard development tasks, the use of shell pipes and variable interpolation (NEXT_ID,priority,description) requires the agent to handle filenames safely to avoid potential injection vulnerabilities. - [PROMPT_INJECTION]: The skill is designed to ingest and process data from external sources like PR comments, code findings, and feedback to populate work items. This content is used to fill the 'Problem Statement' and 'Findings' sections of todo files. Maliciously crafted input in these external sources could potentially influence the agent's behavior when it later reads, triages, or executes the recommended actions in these files (Indirect Prompt Injection).
- Ingestion points: Reads content from pull request comments, code findings, and existing markdown files in the
todos/directory. - Boundary markers: Uses YAML frontmatter delimiters (
---) and Markdown headers to structure data, though no explicit 'ignore instructions' warnings are provided for the content sections. - Capability inventory: Performs file system operations (
cp,mv), search operations (grep), and file naming logic through shell commands defined inSKILL.md. - Sanitization: No explicit sanitization or validation of the ingested external content is described in the skill instructions.
Audit Metadata