ultraqa
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes project-specific shell commands for testing, building, linting, and type-checking based on user-provided arguments. It also manages its own state by executing file system operations like
rm -f .omc/state/ultraqa-state.json. - [PROMPT_INJECTION]: The skill creates an autonomous loop that processes untrusted data (test and build outputs) and feeds it to an 'architect' subagent for diagnosis. The resulting recommendations are then passed to an 'executor' subagent to modify files. This chain lacks boundary markers or sanitization, making it vulnerable to indirect prompt injection where malicious instructions embedded in log outputs could trick the agent into performing unintended or harmful file modifications.
- Ingestion points: External test and build outputs are ingested into the context in the 'ARCHITECT DIAGNOSIS' step within
SKILL.md. - Boundary markers: None. The test/build output is interpolated directly into the subagent prompt.
- Capability inventory: The workflow involves file system writes (via the
executorsubagent) and arbitrary command execution (during the 'RUN QA' phase). - Sanitization: No validation, escaping, or filtering of the ingested log content is performed before it influences the subagent's logic.
Audit Metadata