planner
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8) due to its data processing model. • Ingestion points: The skill ingests codebase content during Step 1 (Context Discovery) and Step 3 (Milestone Execution) to inform planning and delegation. • Boundary markers: While the skill defines an XML structure for 'exploration-output.md', it does not include explicit delimiters or instructions to the LLM to ignore embedded commands within analyzed files. • Capability inventory: The skill possesses the ability to write files (plans and code diffs) and execute local scripts, which could be influenced by malicious content found in ingested files. • Sanitization: There is no evidence of sanitization for external codebase content before it is interpolated into the orchestration workflow.
- COMMAND_EXECUTION (SAFE): The skill executes its own internal Python modules to manage task states. • Evidence: The SKILL.md file specifies hardcoded commands to invoke 'skills.planner.planner' and 'skills.planner.executor'. This command execution is a core part of the skill's orchestration logic and is restricted to pre-defined internal modules.
Audit Metadata