dig-plan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It reads external, untrusted content from 'PLAN' files and uses this data to drive decision-making and file modification logic.
- Ingestion points: The skill uses the
Readtool to ingest full content from user-specified file paths. - Boundary markers: No boundary markers or delimiters are defined to isolate untrusted file content from the agent's instructions.
- Capability inventory: The skill possesses the
Edittool, providing the ability to modify local files based on instructions derived from the ingested content. - Sanitization: No sanitization or validation of the plan content is performed before it influences the agent's output or tool calls.
- [DATA_EXFILTRATION] (MEDIUM): The skill lacks file path validation or sandboxing. It accepts arbitrary file paths from users to 'Read' and 'Edit', which could be used to target sensitive local configuration files or credentials (Category 2). While no explicit network exfiltration tools are used in the skill script, reading sensitive data into the agent's context is a significant exposure risk.
Recommendations
- AI detected serious security threats
Audit Metadata