plan-decompose
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill dynamically assembles shell commands using the 'uv run' utility. Specifically, it executes a local script '.claude/skills/github-tools/scripts/gh.py' with arguments such as '--title' and '--body' which are directly populated with text parsed from 'plan.md'. Without explicit sanitization or shell-escaping, this could allow for argument injection (e.g., if a work unit title starts with '--' or contains shell metacharacters).
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). Evidence Chain: 1. Ingestion points: The skill reads work unit details from 'plan.md'. 2. Boundary markers: None. There are no instructions for the agent to use delimiters or ignore instructions within the plan content. 3. Capability inventory: Execution of subprocesses ('uv run') and GitHub API interactions. 4. Sanitization: Absent. The skill instructions do not specify any validation or filtering of the content extracted from the plan file before it is used to generate tool commands.
Audit Metadata