create-plan
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill creates a vulnerability surface by ingesting untrusted data from the local workspace to generate actionable instructions for a 'buildout' phase.
- Ingestion points: The workflow reads
README.md,CONTRIBUTING.md,ARCHITECTURE.md, and other 'relevant files' from the repository. - Boundary markers: Absent. The instructions do not provide the agent with delimiters or specific logic to treat the contents of these files as data rather than instructions.
- Capability inventory: The skill writes plan files to the local filesystem (
.cursor/plans/). While it requires user approval before execution, the plan's 'action items' are derived directly from the analyzed (and potentially poisoned) files. - Sanitization: No sanitization or validation of the input file content is performed before it is interpolated into the markdown plan template.
Audit Metadata