pick-next-shell
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and acting upon untrusted data from the local file system.
- Ingestion points: Reads YAML frontmatter from markdown files within the
.turbo/shells/and.turbo/plans/directories (SKILL.md). - Boundary markers: There are no explicit boundary markers or instructions provided to the agent to ignore or delimit potentially malicious instructions embedded within the ingested files.
- Capability inventory: The skill performs file reading (globbing and YAML parsing), updates metadata in local files (writing YAML), and invokes multiple downstream skills (
/expand-shell,/refine-plan,/self-improve) based on the ingested data. - Sanitization: No sanitization or validation logic is defined to inspect the content of the shell or plan files before they are used to influence the agent's planning pipeline.
Audit Metadata