deep-plan
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill effectively mitigates indirect prompt injection risks by using structured delimiters and explicit behavioral overrides. 1. Ingestion points: User-provided feature descriptions, constraints, and research artifacts are ingested into sub-agent prompts. 2. Boundary markers: Employs and tags with instructions for sub-agents to treat content as non-authoritative data. 3. Capability inventory: Specialist agents are restricted to read-only codebase exploration tools (Read, Glob, Grep). The orchestrator is restricted to writing only within the .speak-memory/ directory. 4. Sanitization: Relies on structural isolation and model-level instruction following.
- [COMMAND_EXECUTION]: The skill includes a strict policy for the Bash tool, limiting its use to repository root identification and manifest reading, which prevents the execution of arbitrary or destructive commands.
- [EXTERNAL_DOWNLOADS]: The trade-off arbiter agent is authorized to use WebSearch and WebFetch for the legitimate purpose of validating technical decisions against external best practices and known failure patterns.
Audit Metadata