plan-reviewer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Command Execution] (HIGH): The skill calls
run_shell_commandto execute a script located at~/.gemini/extensions/pickle-rick/scripts/get_session.sh. Executing scripts from external or hidden extension paths is dangerous because the script's behavior is opaque and not managed by the skill itself. - [Prompt Injection] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it processes external implementation plans to drive its logic. 1. Ingestion points: Reads plan files from
[Session_Root]. 2. Boundary markers: Absent. 3. Capability inventory: The skill can execute shell commands and trigger downstream execution skills likecode-implementer. 4. Sanitization: Absent. An attacker could embed instructions in a plan to trick the architect into approving malicious code implementation. - [Unverifiable Dependencies] (MEDIUM): The skill has a hardcoded dependency on an extension named 'pickle-rick' which is not defined within its own scope, introducing an external risk factor.
Recommendations
- AI detected serious security threats
Audit Metadata