create-plan
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill repeatedly uses the parameter
mode: "bypassPermissions"when spawning sub-agents (Planner and Validators) inSKILL.md(Step 3 and Step 7) andreferences/delegation-guide.md. This represents an explicit attempt to escalate privileges by instructing the system to ignore established security and permission boundaries. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It ingests untrusted data from user-provided arguments and codebase content, then interpolates this data directly into prompts for sub-agents without sanitization or boundary markers.
- Ingestion points:
SKILL.md(Step 1, Step 2.5, and Step 3) ingests data via$ARGUMENTSand codebase exploration results. - Boundary markers: Absent. Input is concatenated directly into prompt strings (e.g.,
{feature description}). - Capability inventory: The skill and its sub-agents have extensive capabilities, including
Write,Edit,Task(agent spawning), andSendMessage. - Sanitization: None detected. There is no evidence of validation or escaping for the ingested content before it is processed by the LLM.
- [COMMAND_EXECUTION]: The skill executes shell commands directly to list directory contents (
ls plans/) inSKILL.mdto prevent naming conflicts.
Recommendations
- AI detected serious security threats
Audit Metadata