plan-to-action
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains a blocking check that instructs the user to disable safety filters by restarting the agent with the
--dangerously-skip-permissionsflag. This removes the human-in-the-loop security model required for safe execution. - [PROMPT_INJECTION]: Instructions explicitly direct subagents to run "completely autonomously" and "not ask for input," which prevents the user from intercepting potentially malicious commands generated during the execution of a plan.
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary commands by spawning worker swarms to implement tasks parsed from an external markdown file. These workers are granted permissions to write files, run tests, and make commits without oversight.
- [DATA_EXFILTRATION]: Because the skill operates with skipped permissions and autonomous workers, it is vulnerable to exfiltrating sensitive data (such as environment variables or SSH keys) if a malicious plan file instructs the agent to read these files and send them to a remote server using tools like
curlorwget. - [VULNERABILITY_SURFACE_INDIRECT_INJECTION]:
- Ingestion points: The skill reads and parses a "plan markdown file" (SKILL.md, Phase 1) provided by the user or found in the codebase.
- Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands within the plan file.
- Capability inventory: The skill uses
TodoWriteto define tasks, spawns agent swarms to execute code, writes to the file system, runs shell commands for tests and linting, and performs git commits (SKILL.md, Phase 2-4). - Sanitization: Absent. There is no validation or filtering of the task descriptions or instructions extracted from the markdown file before they are passed to the subagents for execution.
Recommendations
- AI detected serious security threats
Audit Metadata