component-factory

Fail

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill explicitly uses mode: "bypassPermissions" when spawning both builder and reviewer subagents. This instruction attempts to override the agent framework's built-in security constraints and permission filters.
  • [COMMAND_EXECUTION]: In step 4, the skill interpolates untrusted text directly into a shell command: gh pr create --title "<title>" --body "$(cat <<'EOF' <body from builder output> EOF )". If the subagent's output (which is derived from untrusted GitHub issue content) contains the string EOF followed by shell commands, it will result in arbitrary command execution on the user's machine.
  • [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection vulnerability. It reads content from GitHub issues (gh issue view N) and feeds it directly into the subagent's instructions (prompt: "Build the component for issue #N. Run gh issue view N for requirements."). A maliciously crafted GitHub issue could contain instructions that hijack the subagent's behavior.
  • [DATA_EXFILTRATION]: Because the skill has the capability to push to remote repositories (git push) and create pull requests, the command injection vulnerability mentioned above could be leveraged by an attacker to exfiltrate sensitive local files or environment variables by including them in the PR body or pushing them to a branch.
  • [COMMAND_EXECUTION]: The skill executes local binary scripts (bin/worktree) with arguments derived from the agent's internal state. While these appear to be part of the project infrastructure, their execution is triggered automatically based on potentially untrusted input processing.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 22, 2026, 06:46 AM
Security Audit — agent-trust-hub — component-factory