executing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and executes instructions from an external plan file (Step 1). An attacker could provide a plan containing malicious instructions that the agent would then follow during implementation or verification phases. ● Ingestion points: Read plan file (Step 1). ● Boundary markers: No delimiters or isolation protocols are specified to distinguish plan content from system instructions. ● Capability inventory: Task execution and 'verifications' (Step 2) imply the ability to modify files and execute shell commands. ● Sanitization: No validation or filtering of the plan content is performed before execution.
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to 'Run verifications as specified' in the external plan. This creates a potential for arbitrary command execution if the verification steps in the plan contain malicious shell scripts or binary executions.
Audit Metadata