write-feature-docs
Pass
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface. It reads content from specification files to generate documentation drafts and open GitHub pull requests. An attacker could embed instructions within these spec files to influence the agent's behavior during the drafting or PR creation process.
- Ingestion points: Processes content from
specs/<id>/PRODUCT.mdandspecs/<id>/TECH.md. - Boundary markers: The instructions do not define clear delimiters or tell the agent to ignore instructions embedded in the specs.
- Capability inventory: The agent can write MDX files, perform Git operations (clone, commit, push), and use the GitHub CLI to create PRs.
- Sanitization: The skill includes a manual verification step where the agent flags internal implementation details from
TECH.mdfor the engineer to review before inclusion. - [DATA_EXFILTRATION]: The skill performs network-based repository operations including Git pushes and PR creation using the GitHub CLI. These operations are restricted to the author's repositories (
warpdotdev/warp-internalandwarpdotdev/docs), which is consistent with the skill's stated purpose. - [COMMAND_EXECUTION]: The skill executes shell commands via the GitHub CLI (
gh) and Git for codebase research and pull request management, such as searching for feature flags and repository content.
Audit Metadata