shepherd
Pass
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains instructions that minimize human oversight by directing the agent to operate autonomously for extended periods. It explicitly states, "You do NOT ask the user questions during execution. Resolve everything yourself," which could allow unintended or malicious actions to proceed without verification.
- [COMMAND_EXECUTION]: The orchestrator is designed to run various shell commands for project management, including git operations (worktrees, diffs, merges) and development tools (tests, linters, type checkers). It also dispatches subagents with broad execution capabilities within the workspace.
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection as it processes untrusted data from the project directory.
- Ingestion points: Reads project requirements and implementation plans from .shepherd/spec.md and .shepherd/plan.md (SKILL.md).
- Boundary markers: None identified. The instructions do not define clear boundaries or "ignore" directives for content within the ingested files.
- Capability inventory: The agent can perform filesystem modifications, execute shell commands, and spawn new subagent instances (SKILL.md, prompts/implementer.md).
- Sanitization: No evidence of sanitization or validation of the input data before it is used to guide the autonomous orchestration loop.
Audit Metadata