planning
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection surface by synthesizing external data into technical plans. Ingestion points: External data enters via 'researcher-XX-report.md' and 'scout-XX-report.md' (File: SKILL.md). Boundary markers: Absent; the skill does not define delimiters or instructions to ignore embedded commands within the processed reports. Capability inventory: Includes executing a local management script ('node .claude/scripts/set-active-plan.cjs') and extensive file system write operations in the 'plans/' directory. Sanitization: Absent; content from untrusted reports is used directly in the decision-making process for system architecture and script arguments.
- COMMAND_EXECUTION (MEDIUM): The skill automatically triggers a local shell command: 'node .claude/scripts/set-active-plan.cjs {plan-dir}' (File: SKILL.md). This execution path is a risk if an attacker can manipulate the naming convention or the environment leading up to the script execution.
Recommendations
- AI detected serious security threats
Audit Metadata