autonomous-pipeline

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill manages a significant surface area for Indirect Prompt Injection (Category 8) due to its nature as a multi-stage autonomous pipeline.
  • Ingestion points: External data enters the context via the $request argument and is propagated through intermediate artifacts like specifications and plans (.ulpi/spec/*.md, .ulpi/plans/*.json).
  • Boundary markers: The skill uses logical phase separation and explicit "gate" success criteria, although it lacks cryptographic or structural enforcement against adversarial data in the request.
  • Capability inventory: The pipeline utilizes powerful tools including Bash, Write, Edit, and Workflow across its phases.
  • Sanitization: The primary security mechanism is a mandatory human approval step of the generated plan, which acts as the sole gate before the autonomous execution of code changes and validation commands.
  • [COMMAND_EXECUTION]: The skill performs extensive shell operations through the Bash tool and agent-driven commands, including git worktree management, branch manipulation, and the execution of both task-specific and workspace-wide validation scripts (VALIDATE). These are necessary for the skill's engineering lifecycle purpose but represent a powerful capability set.
  • [REMOTE_CODE_EXECUTION]: The skill uses the Workflow tool to execute an orchestration script (references/pipeline-workflow.js). This script is a local component of the skill package and manages the execution of the pipeline phases. It does not download or execute code from external, untrusted sources.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 09:15 AM
Security Audit — agent-trust-hub — autonomous-pipeline