execute-blueprint
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and executes instructions from external 'plan' files (e.g., in
docs/plans/) without sanitization. - Ingestion points: Reads plan files and milestone documents from
docs/plans/or user-provided paths into the main agent context and dispatches them to subagents. - Boundary markers: Absent. The skill instructions state that objective text, acceptance criteria, and instructions are passed 'verbatim' from the plan into subagent prompts.
- Capability inventory: Filesystem read/write, git commit (skill-managed mode), and arbitrary shell command execution (via subagents running tests/linters).
- Sanitization: Absent. The main agent and subagents are instructed to follow the plan contents exactly as written.
- [COMMAND_EXECUTION]: The Verification Subagent is designed to execute shell commands (test runners, linters, type checkers) derived directly from the 'Tool Chain' configuration and checklist items defined within the plan file. This creates a direct path for arbitrary command execution if a plan file contains malicious shell commands.
- [EXTERNAL_DOWNLOADS]: The Build Subagent is explicitly authorized to introduce and install new software dependencies if the plan's instructions call for them. This presents a risk of installing untrusted or malicious packages from public registries if the input plan is compromised.
Audit Metadata