writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill creates an exploitable trust chain between untrusted feature descriptions and an automated execution subagent. Findings include:
- Ingestion points: The skill processes external feature names, goals, and descriptions (File: SKILL.md).
- Boundary markers: Absent. The plan structure lacks delimiters or 'ignore' instructions to prevent external text from being interpreted as code logic.
- Capability inventory: The output is explicitly integrated with an
executorskill capable of file creation, modification, and shell command execution (e.g.,npm test,git commit). - Sanitization: Absent. The core principle mandates 'exact code' and 'complete code samples' derived from descriptions, with no requirement to sanitize or validate the generated content before execution.
- Command Execution (INFO): The template includes examples of shell commands such as
npm testandgit commit. While standard for implementation plans, these confirm the high-privilege capabilities of the intended downstream execution environment.
Recommendations
- AI detected serious security threats
Audit Metadata