pace
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
context-essentials.mdmandate the execution ofbash .ai_state/init.shduring implementation and review stages. This pattern executes a shell script residing within the project's local state directory. - [EXTERNAL_DOWNLOADS]: In the
Systemworkflow route defined inSKILL.md, the skill referencesnpx ecc-agentshield scan, which involves downloading and executing a package from the NPM registry. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes various project files to manage its state and hand off tasks between models. Maliciously crafted content in these files could influence agent behavior.
- Ingestion points: The agent reads state and configuration from
.ai_state/project.json,.ai_state/progress.md,.ai_state/tasks.md, andhandoff.md. - Boundary markers: There are no explicit instructions or delimiters used to ensure the agent disregards potential instructions embedded within the data read from these files.
- Capability inventory: The agent has extensive capabilities, including executing shell commands, running tests, and managing Git operations.
- Sanitization: No evidence of input sanitization or validation is present for the project-level data ingested during the workflow.
Audit Metadata