Skills
skills/zxkane/autonomous-dev-team/autonomous-common/Gen Agent Trust Hub

autonomous-common

Pass

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: An indirect prompt injection surface exists in hooks/verify-completion.sh. The script retrieves unresolved PR comments via the GitHub API and presents the initial portion of the comment text to the agent when blocking task completion. This allows external content from PR reviewers to enter the agent's instruction context.\n
  • Ingestion points: hooks/verify-completion.sh (fetches PR comments via GitHub GraphQL API).\n
  • Boundary markers: Absent; the content is listed under a markdown header in a blocking message.\n
  • Capability inventory: The skill can block completion, write to a state directory, and interact with the GitHub API via the gh CLI.\n
  • Sanitization: The script limits the ingested content to the first line and a maximum of 80 characters.\n
  • Mitigation: Wrap the external comment content in clear delimiters (e.g., XML-like tags) and include an explicit instruction for the agent to ignore any commands or instructions contained within those delimiters.\n- [COMMAND_EXECUTION]: The skill makes extensive use of shell scripts as lifecycle hooks (PreToolUse, PostToolUse, Stop). These scripts parse tool inputs and execute logic to enforce development rules. Although the scripts use jq and regex for input validation, the extensive shell-based logic triggered by agent actions is an important architectural pattern to note.
Audit Metadata
Risk Level
SAFE
Analyzed
May 14, 2026, 07:03 PM