plot-sprint
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several shell commands, including
git,mkdir,ln, anddate. These commands incorporate user-supplied input (slugs and goals) into command arguments. While the skill includes prompt-level instructions for the agent to sanitize these inputs (e.g., 'lowercase, hyphens only'), this remains a potential vector for command injection if sanitization fails. - [INDIRECT_PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface (Category 8):
- Ingestion points: The
closeandstatussubcommands read content from external files located indocs/plans/active/anddocs/sprints/to check delivery status and progress. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when processing the content of these external files.
- Capability inventory: The skill has significant capabilities, including writing to the filesystem and performing
git pushoperations directly to the main branch. - Sanitization: There is no explicit sanitization or validation of the content read from plan files before it is processed by the agent.
Audit Metadata