doc-adr-reviewer
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the AI agent to execute shell commands to maintain a mandatory drift cache. Specific instructions include running
sha256sum <file_path> | cut -d' ' -f1to compute content hashes andgrepto validate the cache file. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it extracts instructions (file paths and anchors) from untrusted data sources.
- Ingestion points: The agent parses Architecture Decision Records (ADRs) and BDD feature files, specifically looking for tags like
@bdd:and markdown links. - Boundary markers: The skill does not define delimiters or provide instructions to ignore embedded commands within the processed ADR/BDD content.
- Capability inventory: The skill uses bash command execution (
sha256sum,grep,cut) and file read/write operations for the.drift_cache.jsonfile. - Sanitization: There is no mention of path sanitization or validation to ensure the extracted paths remain within the intended documentation directories.
- [DATA_EXPOSURE]: The three-phase detection algorithm instructs the agent to resolve extracted references to absolute file paths and read their content. Without strict path validation, this could be exploited via path traversal (e.g.,
@bdd: ../../../.ssh/id_rsa) to cause the agent to reveal the existence or hash of sensitive system files.
Audit Metadata