writing-plans
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted external content and produces output that influences downstream execution agents.
- Ingestion points: The skill reads external data from
spec/requirementsand explores the project structure viaview .as described in the "Before Writing" section ofSKILL.md. - Boundary markers: Absent. There are no instructions to delimit the untrusted requirements or to ignore embedded natural language instructions within the specs.
- Capability inventory: While this skill only writes markdown files, its output is explicitly designed to be consumed by high-privilege skills like
subagent-driven-developmentandexecuting-planswhich execute shell commands (bash,git,pytest). - Sanitization: Absent. The skill instructions do not require the agent to sanitize or validate the content of the requirements before interpolating them into a plan.
- COMMAND_EXECUTION (LOW): The skill instructions direct the agent to generate and record shell commands (e.g.,
pytest,git commit) for future execution. While the skill itself doesn't execute these, it creates the execution vectors for other agents.
Audit Metadata