plot-approve
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script at
../plot/scripts/plot-pr-state.shand variousgitandgh(GitHub CLI) commands. The content of the local helper script is not provided within the skill for verification. - [EXTERNAL_DOWNLOADS]: The skill performs network operations using the GitHub CLI (
gh) to list, merge, and create pull requests, as well as fetching user identity data from the GitHub API. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it parses untrusted data from external files.
- Ingestion points: Content is read from Markdown plan files located in
docs/plans/active/*.mdand from pull request data returned by the GitHub CLI. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded instructions when the agent parses the plan file content.
- Capability inventory: The agent has the ability to perform file system writes, create git commits/pushes, and execute GitHub CLI commands (merging and creating PRs).
- Sanitization: The skill lacks sanitization for the branch descriptions extracted from plan files before they are interpolated into new pull request bodies.
Audit Metadata