writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted external content (specifications/requirements) and use it to generate a detailed implementation plan.
- Ingestion points: The skill takes a "spec or requirements for a multi-step task" as input.
- Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the input data, making it vulnerable to injection attacks.
- Capability inventory: The generated output is explicitly designed to be consumed by high-privilege sub-skills like
superpowers:executing-plansandsuperpowers:subagent-driven-development, which perform file modifications and command execution. - Sanitization: The skill lacks any mechanism to sanitize or validate the input spec, allowing malicious shell commands or code snippets to be propagated into the final plan.
- Command Execution (MEDIUM): The skill documentation mandates the creation of plans containing raw shell commands (e.g.,
git,pytest) and Python code blocks. While intended for legitimate TDD, this provides a structured template for an attacker to inject arbitrary commands that the agent is then instructed to run.
Recommendations
- AI detected serious security threats
Audit Metadata