plan
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests context from local research files (
.agents/research/*.md), planning rules (.agents/planning-rules/*.md), and findings (.agents/findings/registry.jsonl) to influence its planning decisions and implementation specs. - Ingestion points: Research markdown files, compiled planning rules, findings registry file, and the
aoknowledge lookup tool. - Boundary markers: No specific delimiters or instructions are used to separate ingested data from agent instructions.
- Capability inventory: The skill has access to shell execution, task management tools, and the beads (
bd) CLI. - Sanitization: Content from external files is not validated or sanitized before being used as hard context for planning.\n- [COMMAND_EXECUTION]: The skill performs various shell operations including directory creation, file searching, and code auditing (
grep,wc,find,go test,go build). While standard for development, these commands are executed based on logic that incorporates data from potentially untrusted local files.
Audit Metadata