planning-with-files
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core design.
- Ingestion points: The agent is instructed to read from
task_plan.md,findings.md, andprogress.mdto 're-orient' and 'refresh goals'. - Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are present in the provided markdown templates.
- Capability inventory: The skill is intended for complex tasks involving browser/search tools and multiple tool calls.
- Sanitization: There is no instruction to sanitize or validate content before saving external data to the findings files. If an agent browses an attacker-controlled site, malicious instructions could be saved and later executed when the agent reads the file.
- [DATA_EXPOSURE] (LOW): The 'Log ALL Errors' and '2-Action Rule' encourage the agent to persist data to disk in plaintext. If the agent's task involves handling credentials or PII, this sensitive information may be inadvertently exposed in the local markdown files.
- [NO_CODE] (SAFE): The skill consists solely of markdown instructions and templates; it includes no scripts, binaries, or third-party package dependencies.
Audit Metadata