executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill directs the agent to 'Follow each step exactly' from an external plan file. This creates a high-risk surface for Indirect Prompt Injection, as the agent is instructed to treat the content of the plan as authoritative instructions.
- COMMAND_EXECUTION (HIGH): In Step 2, the skill explicitly requires the agent to 'Run verifications as specified' and follow bite-sized steps. This implies the execution of shell commands, scripts, or test suites which are defined in the untrusted plan file.
- Indirect Prompt Injection (HIGH):
- Ingestion points: Step 1 involves reading a plan file from the workspace.
- Boundary markers: None specified; the skill does not instruct the agent to distinguish between implementation steps and malicious override instructions within the plan.
- Capability inventory: The skill possesses file-write capabilities ('Create TodoWrite') and command execution capabilities ('Run verifications').
- Sanitization: No sanitization or validation of the plan file content is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata