auto-trigger

Pass

Audited by Gen Agent Trust Hub on Mar 22, 2026

Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
  • [PROMPT_INJECTION]: The skill defines a mechanism for 'chaining' skills where completion data from one skill is passed as 'context' to the next. This creates an indirect prompt injection surface because it interpolates dynamic, potentially untrusted variables into the instructions of the next agent in the chain.
  • Ingestion points: The SKILL.md file defines multiple points where variables are interpolated into context strings, such as context: "PRD created for {feature_name}" (line 20), context: "Implemented PRD: {feature_name}" (line 26), and context: "PR created: {pr_title}" (line 86).
  • Boundary markers: The schema does not define or enforce the use of delimiters, delimiters, or system-level 'ignore embedded instructions' warnings to isolate these interpolated variables from the instruction context.
  • Capability inventory: The skills triggered by this configuration (e.g., self-improving-agent, prd-planner) are described as having powerful tools including Bash, Write, and WebSearch, which could be exploited if malicious content is successfully injected through the context variables.
  • Sanitization: There is no evidence of validation or sanitization requirements for the variables before they are passed between skills.
  • [NO_CODE]: This skill contains no executable code (Python, JavaScript, or Shell scripts). It consists exclusively of YAML configuration and Markdown instructions intended for use by a workflow orchestrator.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 22, 2026, 06:15 PM
Security Audit — agent-trust-hub — auto-trigger