plan-review
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It is designed to ingest and process project plans, which are external and potentially untrusted data sources. Because the agent has access to powerful tools like Bash, Write, and Edit, and the instructions lack boundary markers or explicit warnings to ignore instructions embedded within the plans, a malicious document could influence the agent's behavior.
- Ingestion points: The Read tool is used to ingest external project documentation as described in the review workflow in SKILL.md.
- Boundary markers: The instructions lack boundary markers or specific delimiters to isolate untrusted input from agent instructions.
- Capability inventory: The skill has access to Bash, Write, and Edit tools which could be abused in a successful injection scenario.
- Sanitization: No sanitization or validation of the input content is performed before processing.
- [COMMAND_EXECUTION]: The skill provides specific instructions for the agent to execute a Python script located at
.claude/skills/project-diagrams/scripts/generate_schematic.py. This path is external to the skill's own directory, creating a dependency on files whose integrity and source cannot be verified within the context of this skill alone.
Audit Metadata