writing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill contains defensive instructions to mitigate indirect prompt injection by explicitly requiring the agent to treat content from design documents and issue trackers as data only and to disregard any instructions found within them.
- [COMMAND_EXECUTION]: Executes
git rev-parse --show-toplevelto programmatically determine the project root. This is a standard, safe operation for repository navigation. - [DATA_EXPOSURE]: Implements input validation to prevent path traversal. The skill uses a strict regex (
^[a-zA-Z0-9]([a-zA-Z0-9_-]*[a-zA-Z0-9])?$) to sanitize issue IDs before incorporating them into file paths for plan storage and visual diagrams. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: Accesses potentially untrusted data from
docs/designs/<issue-id>-*.md, projectCLAUDE.mdfiles, and external Linear issue contexts. - Boundary markers: Includes explicit instructions to ignore embedded instructions in design documents and avoid verbatim embedding of issue data in prompts or visual titles.
- Capability inventory: Has permissions to write files to the local workspace (
docs/plans/) and the agent's diagram directory (~/.agent/diagrams/), execute Git commands, and launch a browser to view local files. - Sanitization: Employs regex-based sanitization for identifiers and instructions to derive safe descriptions rather than using untrusted text directly.
Audit Metadata