plan-hard
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill creates a significant indirect prompt injection surface by ingesting untrusted data from multiple sources.
- Ingestion points: Reads codebase files like
codebase-summary.mdand reports fromresearchersubagents which may contain content from external lookups. - Boundary markers: Absent. Content is passed directly to the
plannersubagent without delimiters or instructions to ignore embedded commands. - Capability inventory: The skill can write multiple implementation files, execute local scripts, and perform slash commands based on the injected data.
- Sanitization: Absent. Malicious content in the codebase could hijack the subagents to generate backdoored implementation plans or manipulate the agent into executing commands.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes
node .claude/scripts/set-active-plan.cjs {plan-dir}. This pattern is dangerous when interacting with untrusted repositories, as an attacker can place malicious code in the.claude/scriptsdirectory which the skill will then execute automatically. Additionally, the{plan-dir}argument is derived from environment metadata which may be subject to manipulation.
Recommendations
- AI detected serious security threats
Audit Metadata