executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exhibits a significant Indirect Prompt Injection surface by reading an external 'plan file' and instructing the agent to 'Follow each step exactly' (Step 2). There is no mechanism to distinguish between intended tasks and malicious instructions embedded in the plan. Ingestion points: Plan file loaded in Step 1.1. Boundary markers: Absent; the agent lacks delimiters or instructions to treat plan content as data only. Capability inventory: The agent is authorized to execute implementation tasks, write code, and run verifications (shell/tool access). Sanitization: Absent; the content of the plan file is executed without validation.
- [Command Execution] (HIGH): Step 2 instructs the agent to 'Run verifications as specified' based on the plan content. This allows external data to trigger arbitrary system commands or tool executions.
- [Remote Code Execution] (HIGH): While no script download URLs are hardcoded, the logic of the skill allows for the execution of arbitrary steps provided by an external source, which effectively facilitates RCE if the plan file is sourced from an untrusted location.
Recommendations
- AI detected serious security threats
Audit Metadata