autonomous-pipeline
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill manages a significant surface area for Indirect Prompt Injection (Category 8) due to its nature as a multi-stage autonomous pipeline.
- Ingestion points: External data enters the context via the
$requestargument and is propagated through intermediate artifacts like specifications and plans (.ulpi/spec/*.md,.ulpi/plans/*.json). - Boundary markers: The skill uses logical phase separation and explicit "gate" success criteria, although it lacks cryptographic or structural enforcement against adversarial data in the request.
- Capability inventory: The pipeline utilizes powerful tools including
Bash,Write,Edit, andWorkflowacross its phases. - Sanitization: The primary security mechanism is a mandatory human approval step of the generated plan, which acts as the sole gate before the autonomous execution of code changes and validation commands.
- [COMMAND_EXECUTION]: The skill performs extensive shell operations through the
Bashtool and agent-driven commands, including git worktree management, branch manipulation, and the execution of both task-specific and workspace-wide validation scripts (VALIDATE). These are necessary for the skill's engineering lifecycle purpose but represent a powerful capability set. - [REMOTE_CODE_EXECUTION]: The skill uses the
Workflowtool to execute an orchestration script (references/pipeline-workflow.js). This script is a local component of the skill package and manages the execution of the pipeline phases. It does not download or execute code from external, untrusted sources.
Audit Metadata