create-plan
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests untrusted codebase data through search and read tools to inform plan creation. This creates a potential surface for indirect injection where malicious content in the codebase could attempt to influence the agent's strategy or validation process.\n
- Ingestion points:
SKILL.md(viasearch,sem_search, andreadtools).\n - Boundary markers: Absent; no instructions are provided to the agent to treat codebase content as untrusted.\n
- Capability inventory: Execution of
./.forge/skills/create-plan/validate-plan.shand./.forge/skills/create-plan/validate-all-plans.sh.\n - Sanitization: Absent; scripts process markdown file content without explicit sanitization logic for AI prompt contexts.\n- [Unverifiable Dependencies & Remote Code Execution] (LOW): The script
validate-plan.shis a core component for validation but was not included in the source files. Based onvalidate-all-plans.sh, the execution pattern is localized and follows shell script best practices such as pipefail and variable quoting.\n- [Command Execution] (SAFE): The skill uses local shell scripts for plan validation, which is consistent with its stated purpose. These operations are restricted to the skill's own directory and do not involve suspicious remote downloads or privilege escalation.
Audit Metadata