koda-todo
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its reliance on the
KODA-TODO.mdfile for task instructions. - Ingestion points: The agent is explicitly instructed in
SKILL.mdto readKODA-TODO.mdto determine 'further steps' and check task statuses. - Boundary markers: Absent. There are no instructions to the agent to treat the file content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill utilizes powerful tools across all its sections, including
run_terminal_command(Shell),edit_file(Edit), andcreate_new_file(WriteFile). - Sanitization: Absent. The agent processes the content of the markdown file without any validation or filtering.
- [COMMAND_EXECUTION]: The skill utilizes shell execution tools (
run_terminal_commandandShell) to manage the file system, specifically for deleting theKODA-TODO.mdfile upon completion of tasks. While the documented intent is benign file management, providing instructions for shell usage increases the attack surface if combined with the indirect prompt injection vulnerability mentioned above.
Audit Metadata