plan-fast
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads external codebase files such as codebase-summary.md and project-overview-pdr.md alongside the user task. It possesses write and execute capabilities including creating files and running a node script. Evidence: 1. Ingestion points: Reads multiple .md files from the codebase and $ARGUMENTS. 2. Boundary markers: Absent. 3. Capability inventory: Executes 'node .claude/scripts/set-active-plan.cjs' and creates directories/files. 4. Sanitization: Absent. This allows malicious content in the codebase files to potentially hijack the agent logic or influence script arguments.
- Command Execution (MEDIUM): The workflow executes 'node .claude/scripts/set-active-plan.cjs {plan-dir}'. The {plan-dir} variable is determined at runtime from the context. If the source of this variable is influenced by untrusted data from the codebase, it poses a risk of argument injection or unexpected script behavior.
Recommendations
- AI detected serious security threats
Audit Metadata