plan-review
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes external implementation plan files and injects their content directly into prompts for review sub-agents. A malicious plan file could contain hidden instructions designed to divert the agents from their intended review tasks.\n
- Ingestion points:
SKILL.mdPhase 0 (Detect plan file) searches for files in${CLAUDE_CONFIG_DIR}or project cache directories.\n - Boundary markers: The sub-agent prompts in
agent-prompts-quick.mdandagent-prompts-thorough.mduse markdown bold labels (e.g.,**Plan:**) to separate instructions from data, but they lack explicit instructions to ignore embedded commands or instructions within the plan content.\n - Capability inventory: Review agents have access to the
Agenttool for spawning further sub-tasks,TaskCreatefor task management, and the main agent can execute shell commands.\n - Sanitization: There is no evidence of input validation, filtering, or sanitization of the loaded plan content before it is interpolated into prompts.\n- [COMMAND_EXECUTION]: The skill performs shell command execution to locate plan files using
find. Additionally, it can invoke external CLI tools likecodexandgeminifor analysis when the--externalflag is provided. These operations are part of the skill's intended functionality but represent a technical surface for potential command injection if input is not handled strictly by the agent's execution environment.
Audit Metadata