pm-ia
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It is designed to read and process content from
docs/pm-context/pm-context.md(Step 1) to extract headings and entity definitions. However, it lacks explicit boundary markers (such as XML tags or unique delimiters) or instructions to ignore embedded commands within the ingested text. An attacker or a malicious project file could include instructions to override the agent's behavior during this extraction process. - Ingestion points:
docs/pm-context/pm-context.mdspecified in the Step 1 logic. - Boundary markers: Absent. The skill does not define specific delimiters to encapsulate the untrusted data being read.
- Capability inventory: The skill has permissions to read and write local markdown files within the project workspace, including hidden directories like
.loop/. - Sanitization: Absent. There is no mention of filtering or escaping content extracted from the headings or entity definitions before they are processed by the agent.
Audit Metadata