executing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to ingest and execute instructions from external plan files, creating a surface for indirect prompt injection.
- Ingestion points: Reads plan content from files such as
Plan.mdor files located in thedocs/plans/directory as specified inSKILL.mdand theevals/evals.json. - Boundary markers: The instructions do not define specific delimiters (like XML tags or triple quotes) to encapsulate the loaded plan content, nor do they include instructions to disregard potential injection patterns within those files.
- Capability inventory: The skill is explicitly designed to carry out tasks which include file modifications and command executions based on the steps provided in the plan.
- Sanitization: There is no logic provided to sanitize or validate the content of the plan files before execution, though the 'Review critically' step acts as a partial manual mitigation.
Audit Metadata