skill-planner
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Path traversal vulnerability in shell script operations. Variables
task_numberandproject_name(extracted fromspecs/state.json) are used to construct file system paths without sanitization. Evidence: The skill executesmkdir -p "specs/${padded_num}_${project_name}"and writes to"specs/${padded_num}_${project_name}/.postflight-pending". Ifproject_namecontains directory traversal sequences like../, the agent could be manipulated into creating or overwriting files outside of the intendedspecs/directory. - [PROMPT_INJECTION] (LOW): The skill possesses a significant attack surface for indirect prompt injection as it ingests untrusted data and maintains high-privilege capabilities. 1. Ingestion points: Data is read from
specs/state.jsonand a subagent-generated metadata file (.return-meta.json) usingjq. 2. Boundary markers: Absent. The skill delegates complex planning tasks to a subagent (planner-agent) by interpolating context data into a prompt without explicit delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill can execute arbitrary Bash commands, write/edit files, and spawn subagents with broad tool access. 4. Sanitization: Partial. While it correctly usesjq --argfor safely updating JSON files, it fails to sanitize data used in shell-level path construction and command arguments. - [SAFE] (SAFE): The skill employs safe
jqpractices by using--argand--argjsonflags to prevent JSON injection when processing task data.
Audit Metadata