executing-tasks
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The core function of this skill is to execute arbitrary instructions and validation commands read from an external
plan.mdfile. While the skill enforces a workflow with human review and batching, the underlying capability allows for file system modifications and shell command execution based on untrusted or attacker-controlled data. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection because it ingests data from a file and processes it as a set of instructions to be followed 'exactly'. Evidence Chain: 1. Ingestion points: Reads from
docs/issues/YYYY-MM-DD-<slug>/plan.md. 2. Boundary markers: No delimiters or safety warnings are present to distinguish the agent's system instructions from the plan's data. 3. Capability inventory: Shell command execution via validation steps and general task implementation, plus file system write access. 4. Sanitization: No validation or sanitization is performed on the content of the plan file before execution.
Audit Metadata