deepen-plan
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs extensive discovery using shell commands such as
find,ls, andgrepacross project directories and sensitive user paths, specifically within the~/.claude/directory. These commands are used to identify and read configuration files and instruction sets from the user's environment. - [DATA_EXFILTRATION]: The skill reads
~/.claude/plugins/installed_plugins.json, which is a configuration file containing metadata about the user's Claude setup, including plugin paths and installed extensions. This information could provide an attacker with a map of the local execution environment. - [PROMPT_INJECTION]: The instructions explicitly direct the agent to "Follow the skill's instructions exactly" and "Do NOT filter agents by 'relevance'
- run them ALL". This behavior creates a significant attack surface for indirect prompt injection; the agent is forced to execute any instruction found in discovered markdown files (such as those in
docs/solutions/or third-party plugin directories), which could contain malicious or conflicting directives. - [PROMPT_INJECTION]: The skill incorporates an indirect prompt injection surface by ingesting untrusted data from the project's
docs/solutionsdirectory and global plugin cache. - Ingestion points: Reads all
.mdfiles indocs/solutions/,.claude/docs/, and various pluginskills/oragents/directories. - Boundary markers: Uses simple separators like
--- [full plan content] ---but lacks instructions to the sub-agent to ignore potential command-like patterns within those files. - Capability inventory: Uses
Taskspawning and shell commands (find,cat,head) to execute and process the discovered content. - Sanitization: No sanitization or validation of the content of the discovered files is performed before they are used to instruct sub-agents.
Audit Metadata