kanban
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute a local JavaScript file (server.cjs) via Node.js as a background task.
- [DATA_EXFILTRATION]: The local server binds to all network interfaces (0.0.0.0), exposing the targeted directory contents to the local network. This is an intentional feature for remote access but presents a data exposure risk if the environment is sensitive.
- [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by processing untrusted files from a project directory without sanitization or boundary markers. If these files contain malicious instructions, the agent might execute them while performing its task planning duties.
- Ingestion points: Local files in the ./plans directory (or user-specified directory).
- Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded content.
- Capability inventory: Shell command execution via the Bash tool (e.g., node).
- Sanitization: Absent; the content of ingested files is not validated or escaped before processing.
Audit Metadata