build
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation describes the use of shell commands such as 'mkdir' and 'cat' to manage session directories and state. These commands utilize variables like '$SESSION' and '', which are generated from user-provided feature descriptions. This pattern creates a potential vector for command injection if the user input is not strictly sanitized by the orchestrating agent before execution.\n- [PROMPT_INJECTION]: The skill manages a multi-agent pipeline where output from one phase (e.g., 'discovery-interview') is used to construct the prompt for the next (e.g., 'plan-agent'). This creates an attack surface for indirect prompt injection (Category 8).\n
- Ingestion points: The workflow ingests untrusted data from the initial user description and subsequent artifacts like specifications, plans, and research documents.\n
- Boundary markers: Prompts for sub-agents use markdown headers and triple-dash separators to distinguish instructions from data context, but these may not fully prevent adversarial instructions within the data.\n
- Capability inventory: The orchestrator has the ability to write to the local filesystem, spawn multiple sub-agents, perform git commit operations, and interact with pull requests.\n
- Sanitization: The skill instructions do not specify any explicit validation, escaping, or sanitization of user-provided or agent-generated strings before they are interpolated into shell commands or downstream prompts.
Audit Metadata