plans-kanban
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill documentation and metadata contain imperative instructions directing the AI agent to follow specific operational protocols for task planning and user confirmation.
- [PROMPT_INJECTION]: The skill processes external plan.md files from the local filesystem, creating an indirect prompt injection surface.
- Ingestion points:
plan-scanner.cjsandplan-parser.cjsread markdown files from user-defined directories. - Boundary markers: No specific delimiters or instructions are used to isolate content from these files in the data provided to the agent.
- Capability inventory: The skill has the ability to execute system commands (
execSync,spawn) and serve local files over HTTP. - Sanitization: HTML escaping is performed for the dashboard UI, but the raw file content is accessible via API and file-serving routes.
- [COMMAND_EXECUTION]: The server script in
server.cjsutilizeschild_process.execSyncto invoke system-specific browser commands andprocess.killto manage server process lifecycles. - [REMOTE_CODE_EXECUTION]: The
http-server.cjsscript attempts to dynamically load modules usingrequirewith computed paths targeting a separate skill (markdown-novel-viewer), which introduces risks associated with runtime dependency on external directory structures. - [EXTERNAL_DOWNLOADS]: The skill specifies the
gray-matterpackage as a required dependency to be installed from the npm registry.
Audit Metadata