wave-plan-pipeline
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to command injection in Phase 1 and Phase 3. It constructs shell commands by interpolating the user-provided
requirementdirectly into aBashcall for theccw clitool without proper shell escaping.\n- [PROMPT_INJECTION]: Therequirementargument is used directly in LLM prompts, allowing for potential prompt injection where a user can override the agent's planning logic.\n- [COMMAND_EXECUTION]: The skill executesexecution_directives(shell commands) that are dynamically generated by an LLM during the planning phase. This presents a risk if the planning phase is compromised.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through its context propagation mechanism. Findings from exploration agents are concatenated and passed as instructions to execution agents without sanitization.\n - Ingestion points: User requirement input,
explore.csv(agent findings), andtasks.csv(agent findings) as processed inSKILL.md.\n - Boundary markers: The dynamic instructions in
buildExploreInstructionandbuildExecuteInstructionuse markdown headers and dashed lines to separate sections but do not include explicit 'ignore' instructions for interpolated content.\n - Capability inventory: The skill uses
spawn_agents_on_csv,Bash,Read,Write,Edit,Glob, andGrepacross multiple stages.\n - Sanitization: The skill performs CSV-specific quote escaping but lacks semantic sanitization to prevent data from being interpreted as instructions by the sub-agents.
Audit Metadata