workflow-wave-plan
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection (Category 8) because exploration findings from the local codebase are used to construct execution prompts for sub-agents.
- Ingestion points: The
Exploreagents (Phase 2) read files and patterns from the local codebase, writing discoveries toexplore.csvanddiscoveries.ndjson. - Boundary markers: The skill lacks robust delimiters (like XML tags or random delimiters) or "ignore embedded instructions" warnings when interpolating these findings into the
Execute Agent Prompt. - Capability inventory: The skill possesses extensive capabilities through
Bash,Task,Read, andWritetools, allowing sub-agents to modify files and run arbitrary shell commands. - Sanitization: Findings are truncated and CSV-escaped for formatting purposes, but no semantic sanitization or validation is performed to ensure the data does not contain malicious instructions.
- [COMMAND_EXECUTION]: The workflow relies on dynamic command generation and execution via the
execution_directivesfield intasks.csv. - During Phase 3 (Synthesis & Plan), the planner generates commands for verification based on exploration results.
- During Phase 4 (Wave Execute), sub-agents are explicitly instructed to "Execute commands from execution_directives to verify your work."
- This design pattern creates a risk where malicious content found during exploration could manipulate the planner into generating harmful bash commands that are subsequently executed by the sub-agent.
Audit Metadata