prd-to-goal
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's 'Post-timeout assertion grader' logic (Section 8) explicitly instructs the agent to execute a shell command using the platform's CLI:
CLAUDE_CODE_FORK_SUBAGENT=1 claude -p --bare "$(cat /tmp/grader-prompt.txt)". This command launches a new sub-agent instance based on content written to a temporary file. - [COMMAND_EXECUTION]: The 'Quality streak' recipe in the library involves executing shell commands like
rm -f .claude/chain/verify-streak.jsonto manage state files directly via the bash tool. - [PROMPT_INJECTION]: The skill is designed to ingest untrusted data from external sources including PRD text, GitHub issues (via
gh issue view), and local spec files. This ingested data is used to generate the executable assertions and the prompts used by the grader sub-agent. - Ingestion points: Inputs defined in Section 2 (PRD text, GitHub issue body, Spec files).
- Boundary markers: None identified in the decomposition algorithm or grader logic to delimit untrusted content or prevent instruction override.
- Capability inventory: The skill has access to
Bash,Write,Read, andGreptools, which are used to generate and execute assertions. - Sanitization: No sanitization or validation steps are mentioned for the incoming PRD or issue text before it is used to construct shell commands or sub-agent prompts.
- [DYNAMIC_EXECUTION]: The grader pattern implements a dynamic execution workflow where the agent writes instructions to a temporary file (
/tmp/grader-prompt.txt) and then executes those instructions by spawning a new CLI process. This allows for the runtime generation of executable agent logic based on the processed (and potentially untrusted) task context.
Audit Metadata