zoe-creating-tasks
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes the content of 'docs/PLAN.md' to drive the task creation logic. If an attacker can influence the contents of the project's plan file, they could potentially inject malicious instructions that the agent would follow when generating tasks.
- Ingestion points: 'docs/PLAN.md' (read using the 'cat' command in SKILL.md).
- Boundary markers: Absent. There are no explicit delimiters or instructions telling the agent to treat the plan content as untrusted data.
- Capability inventory: The skill can invoke the 'create_task' reducer, execute arbitrary shell commands via 'bash', and perform 'git' operations.
- Sanitization: Absent. The content read from the file is directly used to generate task descriptions and parameters.
- [COMMAND_EXECUTION]: The skill uses multiple shell command blocks to navigate the filesystem, verify file existence, and perform file operations.
- Evidence: 'bash' blocks are used for directory navigation ('cd'), file reading ('cat'), directory creation ('mkdir'), and file movement ('mv').
- [DATA_EXFILTRATION]: The skill performs network operations that transmit local project data to external systems.
- Evidence: The skill executes 'git push origin main' to synchronize local changes with a remote repository and uses the 'probe' CLI tool ('probe message directive') to send updates to an external project management system.
Audit Metadata