team-planex-v2
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool for session directory management and cleanup. While the primary orchestrator sanitizes inputs used in paths via regex-based slugs, the agent-instruction.md template for sub-agents includes command patterns like ccw issue create --context '{raw_input}'. If {raw_input} is not properly escaped by the sub-agent before execution, it could lead to command injection vulnerabilities.
- [PROMPT_INJECTION]: The pipeline ingests untrusted data from multiple sources, including CLI arguments, external plan files, and issue trackers. This data is used to dynamically generate tasks and instructions for sub-agents.
- Ingestion points: Untrusted content is read from raw CLI arguments, external plan files via the Read tool, and issue metadata via ccw issue commands.
- Boundary markers: The skill relies on structured CSV and JSON for data flow between agents, but it does not implement explicit delimiters or safety instructions when interpolating external text into sub-agent prompts.
- Capability inventory: Spawned agents have significant capabilities, including the ability to execute shell commands (Bash), read/write files, and interact with other LLM models (ccw cli).
- Sanitization: While input used in session file paths is sanitized, the descriptive text and plan content passed into sub-agent instructions are not sanitized for potential injection patterns.
Audit Metadata