code-no-test
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to automate development tasks. Specifically, it uses a pipeline of
find,stat,sort, andcutto identify the most recent implementation plan. It also performs Git operations, includinggit commitandgit push, to finalize work. - [PROMPT_INJECTION]: The skill processes untrusted content through the
$ARGUMENTSvariable and by reading external documentation and plan files (e.g.,plan.md). This ingestion surface could be used for indirect prompt injection attacks. - Ingestion points: Untrusted data is ingested from the
$ARGUMENTSparameter and external files located in./plansand.ai/workspace/analysis/. - Boundary markers: The skill attempts to encapsulate input using
<plan>tags and provides explicit instructions for the agent to maintain skepticism. - Capability inventory: The agent has the ability to read and write files, execute shell commands for plan discovery, and perform Git commits/pushes.
- Sanitization: No explicit sanitization or escaping of the plan content is described before it is integrated into the agent's context. However, the workflow enforces a 'Code Review' step by a separate subagent and a 'User Approval' blocking gate to mitigate the risk of malicious instructions being executed autonomously.
Audit Metadata