gg-plan-backlog
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads issue descriptions from an external backlog system (via
mcp__beads__show) and passes that untrusted data to the/prompt-writer:writeskill to generate worker prompts. Maliciously crafted issue content could potentially subvert the instructions given to downstream agents.\n - Ingestion points: Data retrieved from the Beads backlog system via
mcp__beads__showin SKILL.md.\n - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat the issue content as untrusted data.\n
- Capability inventory: The skill possesses the ability to update backlog items, set priorities, and invoke other specialized skills like prompt writing and plan decomposition.\n
- Sanitization: No sanitization or filtering of the backlog data is performed before it is used to generate prompts.\n- [COMMAND_EXECUTION]: The skill utilizes a local CLI tool named
bdto perform administrative tasks such as viewing statistics, listing issues, and updating issue metadata. These executions are expected for the skill's primary purpose of backlog grooming.
Audit Metadata