strategic-roadmap-planner
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
child_process.execSyncto rungit logcommands for calculating project velocity. These commands are hardcoded as static strings and execute within the user-specified project directory, which is resolved and validated before use. This is a standard and safe implementation for the skill's intended purpose. - [PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection because it reads and analyzes the content of local source files (searching for 'TODO', 'HACK', etc.). Maliciously crafted comments in a project's codebase could theoretically attempt to influence the agent's roadmap summary, although the structured JSON output format and logic-based analysis significantly mitigate this risk.
- [DATA_EXFILTRATION]: While the skill reads sensitive local files for analysis, it does not contain any network-capable operations (such as curl, fetch, or http modules). All output is directed to the local console or a user-specified output file via a secure I/O utility.
Audit Metadata