planning
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill instructions in 'references/codebase-understanding.md' explicitly direct the agent to 'Analyze dotenv files and configuration'. This facilitates the exposure of sensitive credentials such as API keys and database passwords to the LLM context.
- [COMMAND_EXECUTION] (MEDIUM): In 'references/plan-organization.md', the skill executes 'node .claude/scripts/set-active-plan.cjs {plan-dir}'. This is a dynamic command execution pattern targeting a local script path which could be manipulated if the workspace is untrusted.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The 'references/research-phase.md' file instructs the agent to use 'repomix --remote ' to fetch and process remote repositories. This allows the ingestion of untrusted code into the planning context.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) via its research functions. \n
- Ingestion points: 'references/research-phase.md' (via repomix and gh command reading PRs/Issues). \n
- Boundary markers: Absent; no instructions provided to ignore or delimit instructions within external data. \n
- Capability inventory: 'references/plan-organization.md' (node script execution), 'references/research-phase.md' (remote repository analysis, GitHub CLI). \n
- Sanitization: Absent; no sanitization or validation of the ingested remote content is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata