ship-playbook
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to perform repository management tasks, including git operations (checkout, merge, worktree management), JSON processing with jq, and running helper scripts with node.
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to install additional components from the author's resources, specifically using npx skills add to fetch skills from github.com/ulpi-io/skills and npx agentshq add for agents from the ulpi-io registry.
- [PROMPT_INJECTION]: The skill processes untrusted user-provided feature requests which are interpolated into prompts for planning and engineering agents. 1. Ingestion points: Untrusted data enters the agent context via the request argument in SKILL.md and repository files read via Glob and Read tools. 2. Boundary markers: While the skill uses structured briefs for sub-agents, it lacks explicit sanitization or delimiters for the initial user-provided prompt to prevent instruction override. 3. Capability inventory: The workflow has extensive capabilities, including Bash execution, filesystem Write access, and the ability to spawn sub-agents and workflows. 4. Sanitization: The workflow-template.js script implements an Adversarial verification phase to check findings against code and specs, providing a layer of validation for generated content.
- [REMOTE_CODE_EXECUTION]: The skill orchestrates complex tasks by executing the provided references/workflow-template.js using the Workflow tool and spawning sub-agents with the Agent tool to handle planning, building, and reviewing.
Audit Metadata