work
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is instructed to discover and run "repo-appropriate gates" from configuration files such as package.json, task runners, CI configurations, and Makefiles. This pattern allows for the execution of arbitrary shell commands that may be modified by untrusted contributors to the repository.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted input from issue tracking systems and repository files, creating an attack surface for indirect prompt injection.
- Ingestion points: Instructions and specifications are parsed from GitHub issues, Linear issues, PRDs, and various repository files as part of the work item resolution step.
- Boundary markers: The skill lacks explicit instructions or boundary markers to isolate instructions found in issue descriptions or comments from the system's own operating instructions.
- Capability inventory: The skill has significant capabilities including file system write access, arbitrary shell command execution via quality gates, and the ability to commit and push changes to remote git repositories.
- Sanitization: No sanitization, validation, or escaping of the ingested external content is specified before the agent uses it to formulate implementation plans or execute commands.
Audit Metadata