create-plans
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill exhibits an indirect prompt injection surface by design. It ingests data from untrusted project files (such as BRIEF.md, ROADMAP.md, and FINDINGS.md) and interpolates them into PLAN.md files, which serve as direct execution prompts for the agent.\n
- Ingestion points: Project artifacts located in the
.planning/directory and source files referenced using@contexttags.\n - Boundary markers: The skill uses XML-style tags (e.g.,
<task>,<action>,<verify>) to structure the generated plans, which provides some structural separation but does not prevent content-based injection.\n - Capability inventory: The generated plans are intended to be executed by the agent, which has capabilities including file system modification, shell command execution, and git operations.\n
- Sanitization: There is no evidence of explicit sanitization or escaping of the ingested project data before it is interpolated into the generated instructions.\n- COMMAND_EXECUTION (SAFE): The workflow files contain hardcoded bash and git commands (e.g.,
git init,git commit,mkdir,ls,rm,find) used for project lifecycle management and version control. These commands are standard for developer tools and do not incorporate untrusted variables into the command strings in a way that allows injection.\n- DATA_EXPOSURE (SAFE): The skill reads project files and 'domain expertise' files from the~/.claude/skills/expertise/directory. This access is local and consistent with the skill's purpose. No sensitive paths (like SSH keys or AWS credentials) are accessed, and no data exfiltration to external domains was detected.
Audit Metadata