subagent-planificator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect injection because it aggregates content from multiple specialist agents into a final master plan and uses that content to determine consensus.
- Ingestion points: Specialist drafts (
draft-*.md) and reviews (review-*.md) are read by the Orchestrator and Master Planner agents (referenced inSKILL.mdandreferences/plan-templates.md). - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the subagent outputs.
- Capability inventory: The Orchestrator has the capability to execute shell scripts (via
references/waiting-script.md), write files to the filesystem, and dispatch further agents. - Sanitization: Absent. The skill does not sanitize or escape specialist content before processing or combining it into the final
master-plan.md. - Command Execution (HIGH): The utility script
references/waiting-script.mdcontains a critical security flaw in thewait_with_callbackfunction. - Evidence: The function uses
eval "$callback \"$files\"". If a filename generated during the planning phase contains shell metacharacters (e.g., backticks or semicolons), theevalcommand will execute them as shell commands. - Dynamic Execution (MEDIUM): The skill relies on generating and executing shell scripts for process coordination (e.g., file polling with
sleep). - Evidence:
references/waiting-script.mdprovides several bash scripts designed to be executed at runtime by the agent. While the scripts are provided within the skill, the pattern of AI-driven shell execution increases the overall attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata