build
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by relying on plan files in
docs/plan/to guide its operations. These files are external to the skill's own prompt and can potentially contain malicious instructions. - Ingestion points: Content of plan files located at paths specified in
$ARGUMENTSor found indocs/plan/(SKILL.md). - Boundary markers: Uses a user confirmation step ("Start building") in Phase 0 after summarizing the plan scope to ensure human oversight (SKILL.md).
- Capability inventory: File system access (reading context, writing code/tests), shell command execution (ls, rm, build tools), and tool execution (/create-pr, review agents) (SKILL.md).
- Sanitization: No automated validation of the plan file content is performed; reliance is placed on the user's manual review of the scope.
- [COMMAND_EXECUTION]: The skill executes various shell commands such as
ls,rm -rf docs/reviews/, and the project's formatting, linting, and testing tools. These are controlled by the skill's logic but interact with the codebase (SKILL.md). - [EXTERNAL_DOWNLOADS]: The skill is instructed to install missing dependencies or packages if they are referenced in the implementation plan. This introduces a risk if a malicious plan specifies harmful or typosquatted packages (SKILL.md).
Audit Metadata