executing-plans
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8) because its primary function is to read and execute arbitrary instructions from an external source (the plan file).
- Ingestion points: Step 1.1 in 'SKILL.md' (Reading the plan file into the agent's context).
- Boundary markers: The skill relies on natural language instructions for the agent to 'Review critically' but lacks technical delimiters or schema validation to separate untrusted data from system instructions.
- Capability inventory: The skill allows the agent to follow steps exactly (Step 2.2) and run verifications (Step 2.3), which may include shell commands or file modifications through associated skills like 'git-worktrees'.
- Sanitization: No automated sanitization or content filtering is implemented for the plan file content.
Audit Metadata