planning
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a local Node.js script located at
.claude/scripts/set-active-plan.cjs. While used for session management, executing scripts from the project directory is a risk if the workspace is untrusted. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses the
repomix --remotecommand to download and process content from arbitrary GitHub repositories. This can introduce malicious instructions or untrusted data into the agent's context. - [DATA_EXFILTRATION] (MEDIUM): The instructions in
references/codebase-understanding.mdexplicitly direct the agent to analyze.envand configuration files. This constitutes sensitive data exposure, as secrets could be leaked during the planning process. - [PROMPT_INJECTION] (LOW): The skill exhibits a significant attack surface for Indirect Prompt Injection (Category 8) because it processes untrusted data from multiple sources.
- Ingestion points: GitHub Actions logs, Pull Requests, Issues, local codebase files, and remote repositories fetched via
repomix(identified inreferences/research-phase.md). - Boundary markers: The instructions do not define delimiters or warnings to ignore instructions embedded within the ingested data.
- Capability inventory: The skill can execute shell commands (
node,git,gh,repomix) and write files to the working directory. - Sanitization: No sanitization or validation of the external content is prescribed before it is processed by the agent.
Audit Metadata