flow-plan-review
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill instructs the agent to execute shell commands using the
rp-clitool. It interpolates user-provided#$ARGUMENTSdirectly into the command execution strings (e.g.,rp-cli -w <id> -e 'builder ...'). This pattern presents a risk of command injection if the input contains shell metacharacters or maliciously crafted strings intended to escape the intended command context.\n- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted external data in the form of plan files and architecture documents.\n - Ingestion points: Implementation plans (
plans/<slug>.md) and architecture docs provided via arguments.\n - Boundary markers: Absent. The instructions do not use delimiters or provide "ignore embedded instructions" warnings when passing data to the context builder.\n
- Capability inventory: The skill utilizes
rp-clito perform file reads, directory searches, and send messages to a separate chat environment.\n - Sanitization: Absent. There is no evidence of sanitization, validation, or escaping of the file content before it is interpolated into the context building and chat delegation phases.
Audit Metadata