superplan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It lacks sanitization and boundary markers when processing untrusted external data.
- Ingestion points:
references/EXECUTION-GUIDE.mdStep 1 (Intake) processes user stories and ticket descriptions (Jira, GitHub, etc.). Step 4 (Research) ingests data from 'parallel web searches'. - Boundary markers: Absent. The prompts for intake and research do not include delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has significant capabilities including file writing (
plans/NNN-feature/plan.mdin Step 6), and local command execution via the TDD cycle (npm test,pytest,go testinreferences/TASK-MICROSTRUCTURE.md). - Sanitization: Absent. There is no evidence of filtering or validation for the content gathered from tickets or web searches before it is incorporated into implementation plans.
- [COMMAND_EXECUTION] (MEDIUM): The skill's core functionality relies on executing a wide range of local commands for testing and linting (Category 10). While standard for a developer tool, this capability is automatically triggered as part of the TDD cycle defined in
references/TASK-MICROSTRUCTURE.mdandreferences/COMMAND-OUTPUTS.md. - [EXTERNAL_DOWNLOADS] (LOW):
references/EXECUTION-GUIDE.mdStep 4 directs the agent to perform web searches. While not a direct package download, it introduces external data into the agent's decision-making context.
Recommendations
- AI detected serious security threats
Audit Metadata