plan
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically generates shell commands using data derived from user input. In the 'Planning & Structure' section, the 'git checkout -b [branch-name]' command uses a branch name constructed from the user-provided feature description. If the kebab-case conversion process does not strictly sanitize shell metacharacters, an attacker could achieve arbitrary command execution.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it automatically parses and follows instructions within 'brainstorm.md' and 'spec.md' files found in the repository. These files can influence the skill's logic flow, such as skipping refinement steps based on frontmatter flags. * Ingestion points: User input via '#$ARGUMENTS'; Local repository files ('brainstorm.md', 'spec.md'). * Boundary markers: The skill uses XML-like tags ('<feature_description>') for user arguments but lacks delimiters when reading from local project files. * Capability inventory: Execution of shell commands ('git', 'ls'), filesystem write operations, and the ability to trigger external research tasks. * Sanitization: There is no evidence of input validation or sanitization for strings used in shell commands or logic branching.
Recommendations
- AI detected serious security threats
Audit Metadata