ito-prd
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection.
- Ingestion points: In Step 2 ('讀取既有 PRD'), the skill reads content from existing local Markdown files and GitHub issue bodies/metadata.
- Boundary markers: There are no explicit instructions to use delimiters or 'ignore embedded instructions' markers when processing the ingested content.
- Capability inventory: The skill possesses the ability to write files to the local system and perform network-based operations via the
ghCLI (Step 6). - Sanitization: The skill does not define any sanitization or validation protocols for the external data it ingests before incorporating it into the prompt context.
- [COMMAND_EXECUTION]: The skill utilizes shell-based tools and CLI applications to interact with the environment.
- Evidence: Step 3 ('逐一追問') specifies the use of
GrepandGlobfor codebase exploration. - Evidence: Step 6 ('選擇輸出方式') explicitly instructs the agent to use the
gh CLIfor creating and updating issues and managing labels on GitHub. - [DATA_EXFILTRATION]: There is a potential risk of sensitive data exposure or unauthorized file access.
- Evidence: The skill allows users to 'override' the default output path in the local branch of Step 6. This capability could be exploited to write files to sensitive system directories.
- Evidence: In the '編輯模式' (Step 2), the skill reads arbitrary local files provided by the user. If an attacker leverages indirect prompt injection to provide paths to sensitive files (e.g.,
.env, SSH keys), the agent might read them and subsequently write their contents into a GitHub issue, resulting in data exposure.
Audit Metadata