domain-planner
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/review_plan.pyutilizessubprocess.runto execute an external command. The binary name (defaulting tocodex) is configurable via the--codex-bincommand-line argument. This allows the agent to execute arbitrary local binaries if the argument is provided by an untrusted source or manipulated during the orchestration process. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It reads and parses various markdown files, including project indexes (
INDEX.md), API contracts (shared.md), and mode configurations (modes/*.md). These files serve as the primary context for the agent's decision-making and the instructions passed to sub-agents during orchestration. Malicious instructions embedded in these documents could hijack the planning or implementation flow. - [COMMAND_EXECUTION]: The
scripts/init_slice.pyscript automates the creation of directory structures and files on the local file system, resolving paths based on environment variables and configuration files. While it validates the slice name, it relies on potentially untrusted configuration data to determine where files are written. - [PROMPT_INJECTION]: The quality assessment and orchestration modes rely on a feedback loop where an 'Assessor' agent evaluates content generated by a 'Fixer' or 'Scaffolder' agent. This multi-agent coordination pattern is vulnerable if one agent's output contains instructions designed to influence or deceive the evaluating sub-agent.
Audit Metadata