phase-running
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to extract and execute shell commands defined in the 'Success Criteria' section of an implementation plan file. This capability allows for arbitrary command execution based on the contents of a plan file provided to the agent.
- Evidence: SKILL.md Step 4 instructions: 'Execute the automated verification commands from the phase's "Success Criteria" section: 1. Run each command listed under "Automated Verification"'.
- [PROMPT_INJECTION]: The instructions mandate fully autonomous operation ('Autopilot') and explicitly prohibit the use of interactive tools like
AskUserQuestion, effectively bypassing human-in-the-loop safety checks for potentially dangerous actions like file modification or command execution. - Evidence: SKILL.md 'Autonomy' section: 'Phase agents always run as Autopilot within the sub-agent... CRITICAL: Phase agents do NOT use AskUserQuestion.'
- [PROMPT_INJECTION]: The skill processes user-supplied plan files which serve as the primary instruction set for its actions, creating a surface for indirect prompt injection where malicious content in a plan could trigger unauthorized commands or file edits.
- Ingestion points: Reads the full plan file and all source files referenced in the phase (SKILL.md Step 1).
- Boundary markers: Absent; the agent is instructed to 'Follow the plan's instructions precisely'.
- Capability inventory: File modification (
Edit,Writetools) and shell command execution (Step 4). - Sanitization: None specified; the skill is designed to faithfully implement the instructions found within the ingested plan.
Audit Metadata